Re: Auditing Account management events

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/29/04

• Next message: Frank: "Re: Use GPO to Add Computers to the Domain?"
• Previous message: Joey: "RE: GPO OBJECT ACCESS"
• In reply to: fex: "Auditing Account management events"
• Next in thread: FEX: "Re: Auditing Account management events"
• Reply: FEX: "Re: Auditing Account management events"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 29 Nov 2004 00:27:34 GMT

You don't need to do it that way and that would not work anyhow for what you
are looking for. Simply enable auditing of "account management" in the
security policy of the computer where you want to track these events. If you
are tracking events for domain users, enable auditing of account management
in Domain Controller Security Policy and view the security logs of the
domain controllers to find the related events. You can use the free Event
Comb tool from Microsoft to scan multiple computer logs in the domain from a
central point. See the link below for more details including explanation of
some Event ID's. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

"fex" <anonymous@discussions.microsoft.com> wrote in message
news:0dcb01c4d5a6$35380e10$a501280a@phx.gbl...
>
> Hello,
>
> I've been auditing multiple events (System Events ,
> Policy Changes , Logon Events , but specially all events
> referents to Account management events like (User Account
> create, User Account Deleted , etc ) However , I applied
> the auditing to the default group everyone on Defaul
> Domain Controller Policy , to check specially all changes
> made by users with domain admin rights. But at this moment
> they are changing users -passwords - deleting users and -
> I don't receive any event id; for instance (ID:624-627-630)
> at the moment they applied any change on the DC.
>
> I would like to know what is my misconfiguration or I need
> more configuartion or the default group it is not applied
> right way ?
>
> I will thanks any comment !!!

---

• Next message: Frank: "Re: Use GPO to Add Computers to the Domain?"
• Previous message: Joey: "RE: GPO OBJECT ACCESS"
• In reply to: fex: "Auditing Account management events"
• Next in thread: FEX: "Re: Auditing Account management events"
• Reply: FEX: "Re: Auditing Account management events"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Auditing Account management events ... account management in the security policy on both domain ... Simply enable auditing of "account ... >domain controllers to find the related events. ... (microsoft.public.win2000.group_policy) Re: auditing logging on ... of security policy for a domain controller is in the Domain Controller Security ... >> logs for failed events after you enable auditing for it. ... (microsoft.public.win2000.security) Re: Auditing / Event Log Entries... ... If you enable Object Access on Domain Controller to be ... > Controller Security Policy it will record only files on domain controller ... Enable auditing in the policy ... (microsoft.public.win2000.security) 2003 DC auditing issue ... I have Windows 2003 test machine, and I test auditing policies. ... 2003 Domain Controller, with default installation settings. ... If I configure all audit policies in “Default Domain Controllers Policy” to ... Audit Account Management) to Audit Success and Audit Failure, ... (microsoft.public.security) Passwords not changing in AD mode ... Security log on the domain controller when this happens: ... The "wssaccount" has access delegated to the OU for account management. ... a user can change their own password if they are an admin in the ... (microsoft.public.sharepoint.windowsservices)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)