Re: auditing active directory not working properly directory service access

From: ThijsD (ThijsD_at_somewhere.net)
Date: 10/22/05

  • Next message: Marc: "Re: Users are disappeared from security groups" 
    Date: Sat, 22 Oct 2005 12:22:08 GMT

    Hi Steven,

    Thank you for your answer.
    I'll try this on monday and let you know how it went.

    Best regards,
    ThijsD

    Steven L Umbach wrote:
    > Check the other containers such as OUs, computer, user, domain controllers
    > to see if any auditing is configured there also which you would also want to
    > remove. Another possibility is that your changes of what to audit has not
    > replicated to all domain controllers yet. You would want to configure
    > auditing only on the pertinent OUs and not on the domain container [unless
    > they have access there also] and audit only the specific group of users you
    > want to track. Do not audit for everyone, users, domain users, authenticated
    > users, etc for what you are trying to accomplish. Authenticates users and
    > everyone would also include all computers in the domain. When you enable
    > auditing of object access or directory services you will also see what seems
    > to be unrelated events recorded. You will also find that the free Event Comb
    > from MS will help scan the security logs for events and text strings you are
    > searching for. The command line tools dsacls may also be helpful in looking
    > for what is being audited per container if you use the /A switch as in "
    > dsacls OU=ouname,dc=mydomain,dc=com /A " . Look at the line for audit list:
    > which should be the second or third line down in the report. --- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
    > Comb info.
    >
    > "ThijsD" <ThijsD@somewhere.net> wrote in message
    > news:GBb6f.28804$UK5.1154186@phobos.telenet-ops.be...
    >
    >>Hello,
    >>
    >>We have a large group of IT personnel that have full control on some
    >>OU's in our Active Directory.
    >>Recently someone changed the AD permissions on one of those OU's. In the
    >>future we need to be able to track who has changed the permissions.
    >>We have one domain and our domain controllers are running Windows Server
    >>2003 SP1.
    >>After enabling auditing for permission changes on the root of the domain,
    >>my securitylog fills up with all sorts of DSA events, e.g. AD & DNS
    >>replication, GAL lookups, ... Instead of only the events related to
    >>permission changes.
    >>
    >>This is what I did:
    >>I've enabled in the Default Domain Controllers-policy, the "Directory
    >>Services Access" policy to true. Then I did a gpupdate /force to reapply
    >>the policy.
    >>My securitylog immediately start to fill up with DSA events... (100
    >>events/minute)
    >>When I take a look in -> properties of root domain -> security ->
    >>auditing, I see the following:
    >>All, Everyone, Special, This object & all other objects.
    >>When looking further at the 'special' auditing permission, I see lotsa
    >>different checkboxes ticked, so it makes sense that the securitylog is
    >>filling up with those events checked.
    >>
    >>Now the weird thing is that when I remove the default auditing entry
    >>(which logs almost everything) and add a new one that only logs "changing
    >>permissions", the securitylog still keeps filling up with the same events.
    >>Normally it should only log "permission changes" events now, no?
    >>How can I configure the auditing so it only logs events related to
    >>permission changes on AD objects, more specific OU's? What am I doing
    >>wrong?
    >>
    >>Thanks in advance!
    >>Best regards,
    >>ThijsD
    >>
    >>
    >
    >
    >

  • Next message: Marc: "Re: Users are disappeared from security groups"

    Relevant Pages

    • Re: auditing active directory not working properly directory service access
      ... Check the other containers such as OUs, computer, user, domain controllers ... to see if any auditing is configured there also which you would also want to ... > After enabling auditing for permission changes on the root of the domain, ...
      (microsoft.public.windows.server.security)
    • Re: COTS application suggestions for auditing
      ... > should not be causing much performance slowdown. ... and as I previously wrote, they want all the permission changes, policy ... narrow down the scope of the auditing. ... that the COTS app isn't available anymore. ...
      (microsoft.public.security)
    • Re: Auditing Questions
      ... By default Auditing is set on Domain Controllers GPO setting and thus ... You could enable auditing on your Domain level. ... > Does Auditing of events (example is Account Management ...
      (microsoft.public.win2000.active_directory)
    • Re: FSO to non domain server UNC?
      ... > auditing on all domain controllers for that domain. ... > for logon failure on all domain controllers and you still see nothing in the ... the IWAM and IUSR accounts - just not when FSO does it from a web page. ...
      (microsoft.public.inetserver.iis.security)
    • Re: auditing active directory not working properly directory service access
      ... I verified that all containers have no auditing entries set. ... I've then deleted the audit entry to see if the securitylog keeps ... What do you mean with enable auditing of "object access or directory ... >>After enabling auditing for permission changes on the root of the domain, ...
      (microsoft.public.windows.server.security)
    • Quantcast