You can enable auditing of various events in the appropriate security policy.
Auditing of account logons for instance on domain controllers via Domain Controller
Security Policy will tell when an administrator has logged onto the domain. It sounds
like you may also want to enable auditing of account management. Everything you want
may not be able to be directly audited though enabling auditing of object access and
then auditing specific folder, files, or AD objects may help if you don't mind
pouring through a lot of events in the security log correlating events. Avoid using
the everyone group in auditing and audit for only the bare number of permissions
needed to provide the results you need, for instance possibly audit only write data
or delete and not read to an object as read will generate a ton of events. The link
below is very good at explaining what auditing can do and how to configure it. ---
Steve
http://www.microsoft.com/technet/security/guidance/secmod144.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
Aafaq said:
How can I audit/monitor the use of privileged accounts in windows 2000 domain controllers and servers.
Activities like creation/deletion/modification of user ids/Distributions lists in
Exchnage, DHCP scopes,password resets, etc.
