auditing active directory not working properly directory service access

From: ThijsD (ThijsD_at_somewhere.net)
Date: 10/21/05

  • Next message: Jim Moon: "Re: How to Detect All Connections?" 
    Date: Fri, 21 Oct 2005 19:47:50 GMT

    Hello,

    We have a large group of IT personnel that have full control on some
    OU's in our Active Directory.
    Recently someone changed the AD permissions on one of those OU's. In the
    future we need to be able to track who has changed the permissions.
    We have one domain and our domain controllers are running Windows Server
    2003 SP1.
    After enabling auditing for permission changes on the root of the
    domain, my securitylog fills up with all sorts of DSA events, e.g. AD &
    DNS replication, GAL lookups, ... Instead of only the events related to
    permission changes.

    This is what I did:
    I've enabled in the Default Domain Controllers-policy, the "Directory
    Services Access" policy to true. Then I did a gpupdate /force to reapply
    the policy.
    My securitylog immediately start to fill up with DSA events... (100
    events/minute)
    When I take a look in -> properties of root domain -> security ->
    auditing, I see the following:
    All, Everyone, Special, This object & all other objects.
    When looking further at the 'special' auditing permission, I see lotsa
    different checkboxes ticked, so it makes sense that the securitylog is
    filling up with those events checked.

    Now the weird thing is that when I remove the default auditing entry
    (which logs almost everything) and add a new one that only logs
    "changing permissions", the securitylog still keeps filling up with the
    same events. Normally it should only log "permission changes" events
    now, no?
    How can I configure the auditing so it only logs events related to
    permission changes on AD objects, more specific OU's? What am I doing wrong?

    Thanks in advance!
    Best regards,
    ThijsD

  • Next message: Jim Moon: "Re: How to Detect All Connections?"

    Relevant Pages

    • Re: Forcing Ownership of files
      ... >> without that right IF they have Full Control. ... > have explicit permission to do whatever they like with the content of ... > when I first tuned up here from a Novell server to a Windows 2000 server ... Now they are worried about security so ...
      (microsoft.public.win2000.active_directory)
    • Re: PM Security Issue
      ... gives me permission to open projects in Microsoft Project Professional. ... Categories control what you can do it to. ... in which I am a team member, and in which my resources are team members. ... When the My Projects category is included in the Project Managers group, ...
      (microsoft.public.project.pro_and_server)
    • Re: ISA Server Error
      ... from NETWORK SERVICE to Local Server for the logon. ... The default permission should be ... Administrators: Full Control ... make a rule change or anything. ...
      (microsoft.public.isa)
    • RE: IE Hosted UserControl - javascript interaction not working.
      ... To access public properties or invoke public methods of the control from ... Information window, select the checkbox before the 'Make assembly ... need assign the control assembly embeded in the web page the permission to ... Code Group' window, select the 'Create a new code group' option and type a ...
      (microsoft.public.dotnet.framework.windowsforms)
    • Re: ISA Server Error
      ... The default permission should be ... Administrators: Full Control ... should inherit the same permission (Administrators: Full Control, ... | Thread-Topic: ISA Server Error ...
      (microsoft.public.isa)