Re: Audit domain admins

From: Roger Abell [MVP] (
Date: 11/24/04

  • Next message: NewComer: "Security for Win2003 Servers"
    Date: Tue, 23 Nov 2004 23:07:28 -0700

    Just to add to what Steve has said, you must decide for what
    there is to be an audit trail created, and also for when that is
    done by whom.

    In other words, one does not say, "tell me everything admin
    account Beth does", or "tell me everything any Domain Admin
    has done". There are a few exceptions to this, but you usually
    need to identify the resource change that is of interest.
    In other words, you select who doing what to what thing will
    cause an audit record. For example, you can audit any delete
    by any Domain Admin in the C:\, for the C:\windows storage.

    There are some exceptions, such as the policies to audit use
    of privilege, to audit account management events, and to audit
    policy changes (which you will find in group policy in the computer
    settings tree under Windows \ Security \ Local \ Audit )
    of system policies. These sound like the ones you want for the
    situation you mentioned - however, keep in mind that the admin
    can also clear the logs or shut logging off. The bottom line is
    as usual, if you cannot trust them, or if they do not know better,
    then maybe they ought not have the ability of an admin.

    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA,  MCSE W2k3+W2k+Nt4
    "Misaro" <> wrote in message 
    > Hi,
    > I need to audit or verify every change that any user with
    > domain admin  rights do in the Domain Controller.
    > For instance: User Beth, she removed domain admin rights
    > to another user who had them. For that reason the user had
    > several problems working on a project. So the point is how
    > may I know that she did it ? 'Cos at the same time she has
    > full rights? How to audit that , or any software to check
    > and keep a log about what changes or movements do all
    > domain admins users !!
    > Thanks any comments !!! 

  • Next message: NewComer: "Security for Win2003 Servers"