Re: auditing active directory not working properly directory service access

• Previous message: Jim Moon: "Re: How to Detect All Connections?"
• In reply to: ThijsD: "auditing active directory not working properly directory service access"
• Next in thread: ThijsD: "Re: auditing active directory not working properly directory service access"
• Reply: ThijsD: "Re: auditing active directory not working properly directory service access"
• Reply: ThijsD: "Re: auditing active directory not working properly directory service access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 21 Oct 2005 22:39:01 -0500

Check the other containers such as OUs, computer, user, domain controllers
to see if any auditing is configured there also which you would also want to
remove. Another possibility is that your changes of what to audit has not
replicated to all domain controllers yet. You would want to configure
auditing only on the pertinent OUs and not on the domain container [unless
they have access there also] and audit only the specific group of users you
want to track. Do not audit for everyone, users, domain users, authenticated
users, etc for what you are trying to accomplish. Authenticates users and
everyone would also include all computers in the domain. When you enable
auditing of object access or directory services you will also see what seems
to be unrelated events recorded. You will also find that the free Event Comb
from MS will help scan the security logs for events and text strings you are
searching for. The command line tools dsacls may also be helpful in looking
for what is being audited per container if you use the /A switch as in "
dsacls OU=ouname,dc=mydomain,dc=com /A " . Look at the line for audit list:
which should be the second or third line down in the report. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb info.

"ThijsD" <ThijsD@somewhere.net> wrote in message
news:GBb6f.28804$UK5.1154186@phobos.telenet-ops.be...
> Hello,
>
> We have a large group of IT personnel that have full control on some
> OU's in our Active Directory.
> Recently someone changed the AD permissions on one of those OU's. In the
> future we need to be able to track who has changed the permissions.
> We have one domain and our domain controllers are running Windows Server
> 2003 SP1.
> After enabling auditing for permission changes on the root of the domain,
> my securitylog fills up with all sorts of DSA events, e.g. AD & DNS
> replication, GAL lookups, ... Instead of only the events related to
> permission changes.
>
> This is what I did:
> I've enabled in the Default Domain Controllers-policy, the "Directory
> Services Access" policy to true. Then I did a gpupdate /force to reapply
> the policy.
> My securitylog immediately start to fill up with DSA events... (100
> events/minute)
> When I take a look in -> properties of root domain -> security ->
> auditing, I see the following:
> All, Everyone, Special, This object & all other objects.
> When looking further at the 'special' auditing permission, I see lotsa
> different checkboxes ticked, so it makes sense that the securitylog is
> filling up with those events checked.
>
> Now the weird thing is that when I remove the default auditing entry
> (which logs almost everything) and add a new one that only logs "changing
> permissions", the securitylog still keeps filling up with the same events.
> Normally it should only log "permission changes" events now, no?
> How can I configure the auditing so it only logs events related to
> permission changes on AD objects, more specific OU's? What am I doing
> wrong?
>
> Thanks in advance!
> Best regards,
> ThijsD
>
>

• Previous message: Jim Moon: "Re: How to Detect All Connections?"
• In reply to: ThijsD: "auditing active directory not working properly directory service access"
• Next in thread: ThijsD: "Re: auditing active directory not working properly directory service access"
• Reply: ThijsD: "Re: auditing active directory not working properly directory service access"
• Reply: ThijsD: "Re: auditing active directory not working properly directory service access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: auditing active directory not working properly directory service access ... > Check the other containers such as OUs, computer, user, domain controllers ... > to see if any auditing is configured there also which you would also want to ... >>After enabling auditing for permission changes on the root of the domain, ... >>Best regards, ... (microsoft.public.windows.server.security) Re: Detail display for audit policy ... manipulating with security such as Scriptlogic's Security Explorer ... are talking about auditing I would suggest using Active Administrator ... If I want to audit the user permission. ... auditing through Group Policy, you can enable it in each server's Local ... (microsoft.public.windows.server.security) Re: Permissions and Auditing ... I was wondering if I can use auditing to track down the problem. ... You already know there is a permission problem so that is ... File or rather "Object Auditing" requires TWO different settings however; ... Event viewer, Security Logs. ... (microsoft.public.windows.server.general) Re: IIS - Access denied by ACL ... Have you turn on auditing ... >> permission to which file. ... >> files in your windowsroot folder and program files folder, ... >>> I've tried adding Everyone, IUSR, IWAN, creator, system, and myselv ... (microsoft.public.inetserver.iis.security) Re: File Open/Close Auditing ... then I assume he got permission and I don't care how. ... you can create an audit ACE that triggers ... > when user foo opens the file for read, ... >> folders for auditing. ... (microsoft.public.platformsdk.security)