Audit domain admins

M

Misaro

Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
 
S

Steven L Umbach

I don't know of a way to audit everything. For instance I don't know of a
good way to audit who changed a Group Policy user configuration setting but
you can audit a lot. On Domain Controller Security Policy enable auditing of
account management, policy change, and system events which will record
events for when a user creates/manages users [including password reset] or
groups, when a user changes audit policy or user rights assignments, or when
certain system events occur. The events would be recorded in the security
logs of the domain controllers and you would have to check each domain
controller which can easily be done with the free Event Comb tool from
Microsoft. The link below contains much more detail including explanation of
common events recorded in the security log. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
 
R

Roger Abell [MVP]

Just to add to what Steve has said, you must decide for what
there is to be an audit trail created, and also for when that is
done by whom.

In other words, one does not say, "tell me everything admin
account Beth does", or "tell me everything any Domain Admin
has done". There are a few exceptions to this, but you usually
need to identify the resource change that is of interest.
In other words, you select who doing what to what thing will
cause an audit record. For example, you can audit any delete
by any Domain Admin in the C:\, for the C:\windows storage.

There are some exceptions, such as the policies to audit use
of privilege, to audit account management events, and to audit
policy changes (which you will find in group policy in the computer
settings tree under Windows \ Security \ Local \ Audit )
of system policies. These sound like the ones you want for the
situation you mentioned - however, keep in mind that the admin
can also clear the logs or shut logging off. The bottom line is
as usual, if you cannot trust them, or if they do not know better,
then maybe they ought not have the ability of an admin.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain admin users audit 5
Object Access Audit Policy for a Domain 4
Need to audit the use of 2 accounts with domain admin rights 1
537 errors due to manual services being started 0
User Rights 1
Remote admin problem 1
Administrator rights 1
audit of domain user changing domain user account password 2

Top