Active Directory Security Auditing, any suggestions?

[Guest]

Hi all,

I'm looking for a tool that can be used by the security team to baseline and
report on any modifications made to Active directory.

This would include changes in group membership (especially the obvious
domain and schema admins) changes in user rights etc.

I had a feeling that MOM could do this but on slightly closer inspection it
only appears to be interested in AD health.

So anyone got any suggestions as to what to evaluate and what not to touch
with a bargepole?

Cheers


Mark

 

[Steven L Umbach]

I don't know of such a tool offhand but you can use Group Policy Restricted
Groups to enforce group memberships and also enable auditing of account
management in Domain Controller Security Policy to monitor for changes to
users and groups. User rights and security policy can also be managed and
enforced via Group Policy. You can create baseline security templates to
enforce such and you also can use the baseline security template to use the
Security Configuration and Analysis mmc snapin to do an analysis of a
computer to compare the base line security template to the actual effective
security policy on the computer to check for changes that an admin may have
done. You can also use secedit to script such an analysis. If you have an XP
Pro administrative workstation in the domain you can install adminpak fro
Windows 2003 [free download from MS] and use the AD command line tools such
as dsquery and dsget to enumerate groups including nested groups. There also
is a tool called Hyena that you may want to check out which has a free trial
period from Somarsoft and their dumpsec tool is free and handy. The links
below have more details. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
http://www.microsoft.com/windowsxp/...using/productdoc/en/DS_command_line_tools.asp
http://www.somarsoft.com/somarsoft_main.htm