Event ID for changing Inheritance of object permissions

[Guest]

Greetings,

I've been tasked with creating a MOM alert for anytime someone changes the
Advanced Security Setting, "Inherit from parent the permission entries that
apply to child objects. Include these with entries explicitly defined
here.", for both OU or object.

Unfortunately, I cannot seem to find the Event ID associated with this
Success Audit. Both Audit account management and Audit directory service
access are enabled for Success in the Default Domain Policy. However, I
cannot seem to find an Success Audit event when I modify this setting in one
of my test OUs. Can anyone point me in the right direction for finding the
applicable Event ID?

Sorry if this is the wrong forum, but it seemed more relavent to security
than MOM, and I've been flailing a bit trying to find the answer on my own.

Thanks again!

 

[Sean Cai [MSFT]]

Hello,

Thank you for using newsgroup!

The following record recorded my action of set the "Allow inheritable
permissions from the parent to propagate to this object and all child
objects." option of the container "Domain controllers" in a test
environment.
7/10/2007 6:32:36 PM Security Success Audit Directory Service Access 566
MOM20050\Administrator SHLAB-NNZGIX6VO "Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: organizationalUnit
Object Name: OU=Domain Controllers,DC=MOM2005,DC=LOCAL
Handle ID: -
Primary User Name: SHLAB-NNZGIX6VO$
Primary Domain: MOM20050
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: MOM20050
Client Logon ID: (0x0,0x311FC)
Accesses: WRITE_DAC

Properties:
WRITE_DAC
organizationalUnit

Additional Info:
Additional Info2:
Access Mask: 0x40000

You can save the event log to text file (like I did) so that you can search
key words like container name in the log file but to read records one by
one.

Hope my reply helps.

Best Regards,

Sean Cai
MCSE2000
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanksa for the feedback, Sean. Unfortunately, I'm unable to duplicate your
example. If I change the inheritance for permissions on my test OU, I only
get event ID 566 for DNS propogation and replication changes...not permission
changes.

Albeit, I do not yet have the reg hack for resolving SID and GUID for these
alerts, but even still, it doesn't appear that the unresolved entries are
relating to the fields for which I'm interested...namely, User Account making
the change, and object being changed.

Please correct me, if I'm not on the same page, and/or if I need to clarify
what I'm proposing.

Thanks again!

 

[Sean Cai [MSFT]]

Hello,

I'm sorry for the slow response. I wasn't in the office yesterday.

I'm wondering whether the audit group policy is applied properly. Also, I
assumed you are using Windows Server 2003, if I'm wrong, please let me know.

I'll build a clean environment and test your issue again. Thank your for
your patient.

Best Regards,

Sean Cai, MCSE2000
Microsoft Online Support

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

No worries...I appreciate the assistance!

Yes, it is Win2K3 (both domain and forest are at Windows Server 2003
Functional level).

At the Default Domain Policy, I have the following set for the Audit Policy:

Audit account logon events = Success, Failure
Audit account management = Success, Failure
Audit directory service access = Success
Audit logon events = Success, Failure
Audit policy change = Success, Failure

Please correct me if I'm missing something obvious, as I appear toi be
missing it, myself.

Thanks again,

Dave

 

[Guest]

No worries...I appreciate the assistance!

Yes, it is Win2K3 (both domain and forest are at Windows Server 2003
Functional level).

At the Default Domain Policy, I have the following set for the Audit Policy:

Audit account logon events = Success, Failure
Audit account management = Success, Failure
Audit directory service access = Success
Audit logon events = Success, Failure
Audit policy change = Success, Failure

Please correct me if I'm missing something obvious, as I appear toi be
missing it, myself.

Thanks again,

Dave

 

[Sean Cai [MSFT]]

Hello Dave,

Test result doesn't change. The audit policy "Audit directory service
access" works when I change OU settings. I was wondering whether the
default audit entry was changed. Since the audit entry is a long list, I
suggest to install a test/virtual DC and compare your current settings with
the test environment.

You can also refer to the following KB to see if anything is wrong:
HOW TO: Audit Active Directory Objects in Windows Server 2003
http://support.microsoft.com/kb/814595

Best Regards,

Sean Cai, MCSE2000
Microsoft Online Support

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.