Domain admin users audit

M

mISARO

Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
 
H

Herb Martin

mISARO said:
Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.
Click to expand...

Audit Account Management is LIKELY what you wish, even
though it doesn't meet the technical requirement of auditing
"every" change by an admin.
For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!
Click to expand...

Account Management auditing will cover (most of) the things
you care about, but if you need most control or granularity you
can also audit specific Directory or File objects after turning
on Direct or File object auditing IN GENERAL.*

*The key point about auditing "objects", is that you must both
turn on the auditing in GENERAL and also set the auditing on
the specific objects (done with properties like permissions.)
 
P

ptwilliams

The first step is to enable auditing. You do this through GPO.
-- http://support.microsoft.com/?id=314955


Once you've enabled auditing then you need a way of checking this. The
cheapest way is via a script. More advanced ways would be through
third-party software such as HP OVOW, MOM, etc.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
 
L

Lanwench [MVP - Exchange]

mISARO said:
Hi,

I need to audit or verify every change that any user with
domain admin rights do in the Domain Controller.

For instance: User Beth, she removed domain admin rights
to another user who had them. For that reason the user had
several problems working on a project. So the point is how
may I know that she did it ? 'Cos at the same time she has
full rights? How to audit that , or any software to check
and keep a log about what changes or movements do all
domain admins users !!

Thanks any comments !!!
Click to expand...

In addition to the other replies, don't give domain admin access to users
who don't need it or shouldn't have it.
 
F

fex

I've been checking the configuration ; this is the point:
I don't receive any account management Event on Domain
Controllers however i received all logon events , at the
other hand i receive inmediatly any account management
change that i do on any server (Local Security Policy)
works very well, What could be the reason that account
management events doesn't apply on the DC's.!!

Thanks any comments !!!
 
H

Herb Martin

fex said:
I've been checking the configuration ; this is the point:
I don't receive any account management Event on Domain
Controllers however i received all logon events , at the
other hand i receive inmediatly any account management
change that i do on any server (Local Security Policy)
works very well, What could be the reason that account
management events doesn't apply on the DC's.!!

Thanks any comments !!!
Click to expand...

1) Not turned on (in general)
2) Turned on a GPO not linked to the DCs
3) Overridden by a later/more specific GPO
4) Not replicated (even if you did turn it on somewhere)
5) No account management was performed
6) Somebody cleared the log (which would at least say THAT
it had been cleared.)

That's pretty much it.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Audit domain admins 2
How to check bad password login in Windows 2003 domain controller? 1
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
all domain user should have admin rights on single computer 2
Audit Settings changed Automatically 1
ADUC offline and user accounts disabled 1
root domain lost 2
User with domain admin rights 2

Top