Re: Audit domain admins
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: Tue, 23 Nov 2004 23:07:28 -0700
Just to add to what Steve has said, you must decide for what
there is to be an audit trail created, and also for when that is
done by whom.
In other words, one does not say, "tell me everything admin
account Beth does", or "tell me everything any Domain Admin
has done". There are a few exceptions to this, but you usually
need to identify the resource change that is of interest.
In other words, you select who doing what to what thing will
cause an audit record. For example, you can audit any delete
by any Domain Admin in the C:\, for the C:\windows storage.
There are some exceptions, such as the policies to audit use
of privilege, to audit account management events, and to audit
policy changes (which you will find in group policy in the computer
settings tree under Windows \ Security \ Local \ Audit )
of system policies. These sound like the ones you want for the
situation you mentioned - however, keep in mind that the admin
can also clear the logs or shut logging off. The bottom line is
as usual, if you cannot trust them, or if they do not know better,
then maybe they ought not have the ability of an admin.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCDBA, MCSE W2k3+W2k+Nt4 "Misaro" <email@example.com> wrote in message news:firstname.lastname@example.org... > Hi, > > I need to audit or verify every change that any user with > domain admin rights do in the Domain Controller. > > For instance: User Beth, she removed domain admin rights > to another user who had them. For that reason the user had > several problems working on a project. So the point is how > may I know that she did it ? 'Cos at the same time she has > full rights? How to audit that , or any software to check > and keep a log about what changes or movements do all > domain admins users !! > > Thanks any comments !!!