we have a native 2000 domain that was just upgraded to 2003
but still have
some 2000 member servers. just wondering the best way to
apply policy for
auditing changes to policy, auditing changes to user
permissions and
resetting passwords. should we make this overall policy at
the domain
security policy level, domain controller security or the OU
that contains our
admins? Whats best practice for applying auditing policy?
Before answering you need to answer some question to yourself:
(10* On which machines do you auditing?
* What do you want to audit?
* Who do you want to audit
* Do you need different auditing configurations?
Auditing changes to policies -> Policies are stored in AD and linked
at several levels (site, domain, OU). For this you need to configure
the machines that host AD... the DCs. Take a look at the Default
Domain Controllers policy.
Auditing changes to user permissions -> I guess the data with
permissions is on the member servers and for this you could use a GPO
linked to the OU of the member servers and configure the GPO with the
auditing settings (enabling and specifying success and/or failure) you
want. Additionally you need to what data to audit and for whom.
Auditing changes for resetting passwords -> same applies as the first.
The passwords are stored in AD and AD is hosted by DCs. So you need to
configure the Default Domain Controllers GPO with account management
and success and/or failure. Additionally you need to configure
auditing on the OU with the users you want to audit the password
resets. You need to define the action and for whom
Last tip: be carefull with the auditing settings as this could swamp
your logs
look at:
http://www.microsoft.com/technet/pr...elp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx
good luck!
