Domain admin users audit

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
5 answers Last reply
More about domain admin users audit
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "mISARO" <anonymous@discussions.microsoft.com> wrote in message
    news:161501c4d19c$7b14a370$a501280a@phx.gbl...
    > Hi,
    >
    > I need to audit or verify every change that any user with
    > domain admin rights do in the Domain Controller.

    Audit Account Management is LIKELY what you wish, even
    though it doesn't meet the technical requirement of auditing
    "every" change by an admin.

    > For instance: User Beth, she removed domain admin rights
    > to another user who had them. For that reason the user had
    > several problems working on a project. So the point is how
    > may I know that she did it ? 'Cos at the same time she has
    > full rights? How to audit that , or any software to check
    > and keep a log about what changes or movements do all
    > domain admins users !!
    >

    Account Management auditing will cover (most of) the things
    you care about, but if you need most control or granularity you
    can also audit specific Directory or File objects after turning
    on Direct or File object auditing IN GENERAL.*

    *The key point about auditing "objects", is that you must both
    turn on the auditing in GENERAL and also set the auditing on
    the specific objects (done with properties like permissions.)


    --
    Herb Martin


    > Thanks any comments !!!
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    The first step is to enable auditing. You do this through GPO.
    -- http://support.microsoft.com/?id=314955


    Once you've enabled auditing then you need a way of checking this. The
    cheapest way is via a script. More advanced ways would be through
    third-party software such as HP OVOW, MOM, etc.


    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "mISARO" <anonymous@discussions.microsoft.com> wrote in message
    news:161501c4d19c$7b14a370$a501280a@phx.gbl...
    Hi,

    I need to audit or verify every change that any user with
    domain admin rights do in the Domain Controller.

    For instance: User Beth, she removed domain admin rights
    to another user who had them. For that reason the user had
    several problems working on a project. So the point is how
    may I know that she did it ? 'Cos at the same time she has
    full rights? How to audit that , or any software to check
    and keep a log about what changes or movements do all
    domain admins users !!

    Thanks any comments !!!
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    mISARO wrote:
    > Hi,
    >
    > I need to audit or verify every change that any user with
    > domain admin rights do in the Domain Controller.
    >
    > For instance: User Beth, she removed domain admin rights
    > to another user who had them. For that reason the user had
    > several problems working on a project. So the point is how
    > may I know that she did it ? 'Cos at the same time she has
    > full rights? How to audit that , or any software to check
    > and keep a log about what changes or movements do all
    > domain admins users !!
    >
    > Thanks any comments !!!

    In addition to the other replies, don't give domain admin access to users
    who don't need it or shouldn't have it.
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I've been checking the configuration ; this is the point:
    I don't receive any account management Event on Domain
    Controllers however i received all logon events , at the
    other hand i receive inmediatly any account management
    change that i do on any server (Local Security Policy)
    works very well, What could be the reason that account
    management events doesn't apply on the DC's.!!

    Thanks any comments !!!


    >-----Original Message-----
    >"mISARO" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:161501c4d19c$7b14a370$a501280a@phx.gbl...
    >> Hi,
    >>
    >> I need to audit or verify every change that any user
    with
    >> domain admin rights do in the Domain Controller.
    >
    >Audit Account Management is LIKELY what you wish, even
    >though it doesn't meet the technical requirement of
    auditing
    >"every" change by an admin.
    >
    >> For instance: User Beth, she removed domain admin rights
    >> to another user who had them. For that reason the user
    had
    >> several problems working on a project. So the point is
    how
    >> may I know that she did it ? 'Cos at the same time she
    has
    >> full rights? How to audit that , or any software to
    check
    >> and keep a log about what changes or movements do all
    >> domain admins users !!
    >>
    >
    >Account Management auditing will cover (most of) the
    things
    >you care about, but if you need most control or
    granularity you
    >can also audit specific Directory or File objects after
    turning
    >on Direct or File object auditing IN GENERAL.*
    >
    >*The key point about auditing "objects", is that you must
    both
    >turn on the auditing in GENERAL and also set the auditing
    on
    >the specific objects (done with properties like
    permissions.)
    >
    >
    >--
    >Herb Martin
    >
    >
    >> Thanks any comments !!!
    >
    >
    >.
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "fex" <anonymous@discussions.microsoft.com> wrote in message
    news:14b601c4d695$44bffb00$a501280a@phx.gbl...
    > I've been checking the configuration ; this is the point:
    > I don't receive any account management Event on Domain
    > Controllers however i received all logon events , at the
    > other hand i receive inmediatly any account management
    > change that i do on any server (Local Security Policy)
    > works very well, What could be the reason that account
    > management events doesn't apply on the DC's.!!
    >
    > Thanks any comments !!!

    1) Not turned on (in general)
    2) Turned on a GPO not linked to the DCs
    3) Overridden by a later/more specific GPO
    4) Not replicated (even if you did turn it on somewhere)
    5) No account management was performed
    6) Somebody cleared the log (which would at least say THAT
    it had been cleared.)

    That's pretty much it.

    --
    Herb Martin
Ask a new question

Read More

Domain Domain Controller Active Directory Windows