Re: Audit domain admins

• Previous message: Roger Abell [MVP]: "Re: FTP Thru IPsec"
• In reply to: Misaro: "Audit domain admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Nov 2004 23:07:28 -0700

Just to add to what Steve has said, you must decide for what
there is to be an audit trail created, and also for when that is
done by whom.

In other words, one does not say, "tell me everything admin
account Beth does", or "tell me everything any Domain Admin
has done". There are a few exceptions to this, but you usually
need to identify the resource change that is of interest.
In other words, you select who doing what to what thing will
cause an audit record. For example, you can audit any delete
by any Domain Admin in the C:\, for the C:\windows storage.

There are some exceptions, such as the policies to audit use
of privilege, to audit account management events, and to audit
policy changes (which you will find in group policy in the computer
settings tree under Windows \ Security \ Local \ Audit )
of system policies. These sound like the ones you want for the
situation you mentioned - however, keep in mind that the admin
can also clear the logs or shut logging off. The bottom line is
as usual, if you cannot trust them, or if they do not know better,
then maybe they ought not have the ability of an admin.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"Misaro" <anonymous@discussions.microsoft.com> wrote in message 
news:8bbf01c4d19c$650cfd70$a601280a@phx.gbl...
> Hi,
>
> I need to audit or verify every change that any user with
> domain admin  rights do in the Domain Controller.
>
> For instance: User Beth, she removed domain admin rights
> to another user who had them. For that reason the user had
> several problems working on a project. So the point is how
> may I know that she did it ? 'Cos at the same time she has
> full rights? How to audit that , or any software to check
> and keep a log about what changes or movements do all
> domain admins users !!
>
> Thanks any comments !!! 

• Previous message: Roger Abell [MVP]: "Re: FTP Thru IPsec"
• In reply to: Misaro: "Audit domain admins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Domain admin users audit ... The first step is to enable auditing. ... I need to audit or verify every change that any user with domain admin rights do in the Domain Controller. ... (microsoft.public.win2000.active_directory) Domain admin users audit ... she removed domain admin rights ... How to audit that, ... (microsoft.public.win2000.active_directory) Audit domain admins ... she removed domain admin rights ... How to audit that, ... (microsoft.public.win2000.security) Re: Domain admin users audit ... > domain admin rights do in the Domain Controller. ... Audit Account Management is LIKELY what you wish, ... Account Management auditing will cover the things ... can also audit specific Directory or File objects after turning ... (microsoft.public.win2000.active_directory) Re: Domain admin users audit ... > domain admin rights do in the Domain Controller. ... How to audit that, ... (microsoft.public.win2000.active_directory)