Re: Cross-Domain question (Parent - Child)

Thanks Joe,

I actually am only using one DC (this is in a test lab right now). I
am sure that the audit entries ARE being generated, however they may be
labeled differently and contain different information. Since I am
unable to find any documentation on where these entries are located, do
you know of any way to completely disable Active Directory Remote
Management on the server so nobody can make any changes to user or
computer accounts unless logged in directly to the server? This isn't
what I would like to do, but security is a much bigger factor now that
the company I work for has gone public and we are required to meet
different Hippa and SOX regulations. Any help at all would be
appreciated, again.

Thank you,
Robert Jacobs

Joe Richards [MVP] wrote:
My expectation is that when it is done remotely, it is done against a
different DC so the DC you are looking at doesn't get the audit entries.
The audit entries should be generated regardless of how you do it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


RBot wrote:
Joe

I have a question for you that I think you can answer. I could really
use your help on this one, as I have been unable to find anybody who
can give any.

I am using Event Log Explorer to create filters to view certain logs in

saved event log files. Everything works perfectly and I get exactly
the information that I am looking for out of each log; HOWEVER, I have
come to notice that if any changes are made to user or computer
accounts using the Active Directory Remote Management tool, it is not
logged the same as when I make the changes in Active Directory while
logged into the server. (As a matter of fact, I am unable to find any
logs for the changes whatsoever).
Just so you know where I am coming from, here is an example:
Lets say that a new account is created with the name of "TestAccount"
by user "AccountCreator" at 12:30am on 12/25/1955. I can go into Event

Log Explorer, load the event log from the specified date, and apply a
filter to show me all important changes for the day (a filter that I
have setup that filters by Event ID), and get this output:
Event ID 624
User Account Created:
New Account Name: TestAccount
New Domain: TestDomain
New Account ID: TestDomain\TestAccount
Caller User Name: Account Creator
Caller Domain: TestDomain
When I create a new account using Active Directory Remote Management
tool, I don't get an Event ID 624, and all other events that show up at

the time of setup are either unreadable, or do not have anything to do
with a new user account.
My question is, is there another Event ID that replaces Event ID 624
(if so I will need one to replace many others as well that I can
elaborate on in the future), or, is there a way to DISABLE Active
Directory Remote Management on the servers so I know that all new users

or computers in the domain will show up in Event Viewer. (reports are
used to verify that we have paperwork for all new users created, and if

one shows up in Event Viewer that we don't have paperwork for, it is a
problem. This becomes useless if one can bypass Event Viewer by using
Active Directory Remote Management)

Any advice would be greatly appreciated. Thank you.
Robert Jacobs e-mail: RobertJacobsIT@xxxxxxxxx


.

Relevant Pages