Sign in with
Sign up | Sign in
Your question

Domain admin users audit

Last response: in Windows 2000/NT
Share
Anonymous
November 23, 2004 3:39:08 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
Anonymous
November 23, 2004 6:38:17 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"mISARO" <anonymous@discussions.microsoft.com> wrote in message
news:161501c4d19c$7b14a370$a501280a@phx.gbl...
> Hi,
>
> I need to audit or verify every change that any user with
> domain admin rights do in the Domain Controller.

Audit Account Management is LIKELY what you wish, even
though it doesn't meet the technical requirement of auditing
"every" change by an admin.

> For instance: User Beth, she removed domain admin rights
> to another user who had them. For that reason the user had
> several problems working on a project. So the point is how
> may I know that she did it ? 'Cos at the same time she has
> full rights? How to audit that , or any software to check
> and keep a log about what changes or movements do all
> domain admins users !!
>

Account Management auditing will cover (most of) the things
you care about, but if you need most control or granularity you
can also audit specific Directory or File objects after turning
on Direct or File object auditing IN GENERAL.*

*The key point about auditing "objects", is that you must both
turn on the auditing in GENERAL and also set the auditing on
the specific objects (done with properties like permissions.)


--
Herb Martin


> Thanks any comments !!!
Anonymous
November 24, 2004 12:46:20 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The first step is to enable auditing. You do this through GPO.
-- http://support.microsoft.com/?id=314955


Once you've enabled auditing then you need a way of checking this. The
cheapest way is via a script. More advanced ways would be through
third-party software such as HP OVOW, MOM, etc.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"mISARO" <anonymous@discussions.microsoft.com> wrote in message
news:161501c4d19c$7b14a370$a501280a@phx.gbl...
Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
Related resources
Anonymous
November 24, 2004 2:12:16 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

mISARO wrote:
> Hi,
>
> I need to audit or verify every change that any user with
> domain admin rights do in the Domain Controller.
>
> For instance: User Beth, she removed domain admin rights
> to another user who had them. For that reason the user had
> several problems working on a project. So the point is how
> may I know that she did it ? 'Cos at the same time she has
> full rights? How to audit that , or any software to check
> and keep a log about what changes or movements do all
> domain admins users !!
>
> Thanks any comments !!!

In addition to the other replies, don't give domain admin access to users
who don't need it or shouldn't have it.
November 29, 2004 11:30:06 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I've been checking the configuration ; this is the point:
I don't receive any account management Event on Domain
Controllers however i received all logon events , at the
other hand i receive inmediatly any account management
change that i do on any server (Local Security Policy)
works very well, What could be the reason that account
management events doesn't apply on the DC's.!!

Thanks any comments !!!



>-----Original Message-----
>"mISARO" <anonymous@discussions.microsoft.com> wrote in
message
>news:161501c4d19c$7b14a370$a501280a@phx.gbl...
>> Hi,
>>
>> I need to audit or verify every change that any user
with
>> domain admin rights do in the Domain Controller.
>
>Audit Account Management is LIKELY what you wish, even
>though it doesn't meet the technical requirement of
auditing
>"every" change by an admin.
>
>> For instance: User Beth, she removed domain admin rights
>> to another user who had them. For that reason the user
had
>> several problems working on a project. So the point is
how
>> may I know that she did it ? 'Cos at the same time she
has
>> full rights? How to audit that , or any software to
check
>> and keep a log about what changes or movements do all
>> domain admins users !!
>>
>
>Account Management auditing will cover (most of) the
things
>you care about, but if you need most control or
granularity you
>can also audit specific Directory or File objects after
turning
>on Direct or File object auditing IN GENERAL.*
>
>*The key point about auditing "objects", is that you must
both
>turn on the auditing in GENERAL and also set the auditing
on
>the specific objects (done with properties like
permissions.)
>
>
>--
>Herb Martin
>
>
>> Thanks any comments !!!
>
>
>.
>
Anonymous
November 30, 2004 2:58:34 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"fex" <anonymous@discussions.microsoft.com> wrote in message
news:14b601c4d695$44bffb00$a501280a@phx.gbl...
> I've been checking the configuration ; this is the point:
> I don't receive any account management Event on Domain
> Controllers however i received all logon events , at the
> other hand i receive inmediatly any account management
> change that i do on any server (Local Security Policy)
> works very well, What could be the reason that account
> management events doesn't apply on the DC's.!!
>
> Thanks any comments !!!

1) Not turned on (in general)
2) Turned on a GPO not linked to the DCs
3) Overridden by a later/more specific GPO
4) Not replicated (even if you did turn it on somewhere)
5) No account management was performed
6) Somebody cleared the log (which would at least say THAT
it had been cleared.)

That's pretty much it.

--
Herb Martin
!