Sign in with
Sign up | Sign in
Your question

Account management events audit !!

Last response: in Windows 2000/NT
Share
November 28, 2004 6:59:23 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I've been auditing multiple events (System Events ,
Policy Changes , Logon Events , but specially all events
referents to Account management events like (User Account
create, User Account Deleted , etc ) However , I applied
the auditing to the default group everyone on Defaul
Domain Controller Policy , to check specially all changes
made by users with domain admin rights. But at this moment
they are changing users -passwords - deleting users and -
I don't receive any event id; for instance (ID:624-627-630)
at the moment they applied any change on the DC.

I would like to know what is my misconfiguration or I need
more configuartion or the default group it is not applied
right way ?

I will thanks any comment !!!
Anonymous
November 29, 2004 10:44:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

You probably have no users in the Default Domain Controllers OU (Only domain
controllers). Put the auditing on an OU that contains users -or- put the
auditing on the default domain policy. That should take care of the
problem.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"fex" <anonymous@discussions.microsoft.com> wrote in message
news:0dcc01c4d5a6$4888f880$a501280a@phx.gbl...
>
> Hello,
>
> I've been auditing multiple events (System Events ,
> Policy Changes , Logon Events , but specially all events
> referents to Account management events like (User Account
> create, User Account Deleted , etc ) However , I applied
> the auditing to the default group everyone on Defaul
> Domain Controller Policy , to check specially all changes
> made by users with domain admin rights. But at this moment
> they are changing users -passwords - deleting users and -
> I don't receive any event id; for instance (ID:624-627-630)
> at the moment they applied any change on the DC.
>
> I would like to know what is my misconfiguration or I need
> more configuartion or the default group it is not applied
> right way ?
>
> I will thanks any comment !!!
November 29, 2004 9:00:00 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I applied the audit to default domain policy -I created
users, deleted users moved rights and after all those
changes i can't see any event id (624-625-630)

Thanks any comment !!

>-----Original Message-----
>You probably have no users in the Default Domain
Controllers OU (Only domain
>controllers). Put the auditing on an OU that contains
users -or- put the
>auditing on the default domain policy. That should take
care of the
>problem.
>
>--
>
>Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>
>"fex" <anonymous@discussions.microsoft.com> wrote in
message
>news:0dcc01c4d5a6$4888f880$a501280a@phx.gbl...
>>
>> Hello,
>>
>> I've been auditing multiple events (System Events ,
>> Policy Changes , Logon Events , but specially all events
>> referents to Account management events like (User
Account
>> create, User Account Deleted , etc ) However , I applied
>> the auditing to the default group everyone on Defaul
>> Domain Controller Policy , to check specially all
changes
>> made by users with domain admin rights. But at this
moment
>> they are changing users -passwords - deleting users
and -
>> I don't receive any event id; for instance (ID:624-627-
630)
>> at the moment they applied any change on the DC.
>>
>> I would like to know what is my misconfiguration or I
need
>> more configuartion or the default group it is not
applied
>> right way ?
>>
>> I will thanks any comment !!!
>
>
>.
>
!