Re: ADAM Auditing

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

---

• From: "Eric Fleischman [MSFT]" <efleis@xxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 19 Dec 2005 10:00:36 -0800

---

Auditing in ADAM shows up in the security event log. We hook in to the
standard Windows auditing subsystem, so it follows all other audit events in
this way.
I'd have to see the script you used, but the short answer is that you can
audit in any way you want. You can audit per object/subtree, per attribute
on those objects, based upon who touches it, how they touch it, etc. So I
can't answer that w/o knowing what the script does. :)

There are really 3 steps to enabling auditing in ADAM:
1) Go to the objects you wish and set the SACLs for the auditing you want -
this is what your script did I suspect
2) Enable directory service auditing in Windows - a local policy of the
machine, but of course can be pushed to a bunch of domain joined machines
via group policy
3) Ensure that ADAM has the required permissions to write audit events -
Again, local or group policy

Hope that helps!

~Eric

--
Eric Fleischman [MSFT]
These postings are provided "AS IS" with no warranties, and confers no
rights.



"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:BECDD635-6650-4C7E-8696-9356FCA9856A@xxxxxxxxxxxxxxxx
>I am trying to troubleshoot a problem with ADAM communications. I set up
> auditing on a group in my ADAM instance, and set the group to be audited
> for
> to the users group in the Roles container using the script provided in the
> ADAM FAQ.
>
> Where is the auditing supposed to show up? In the Security log of Event
> Viewer? Or the ADAM log? I looked in both places, and saw nothing.
>
> Does the auditing I set up mean that any user in the users group (say,
> user1) who tries to access the group I set the auditing on (say group1)
> will
> show up in a log somewhere? The script was not very clear. If I have
> configured the auditing properly, where is the log?
>
> Thanks,
>
> Jeffrey Harris, MCSE W2K.
> Please remove the '1's from the e-mail address before sending.


.

---

• Prev by Date: Re: HOW TO FIND OUT ADC
• Next by Date: Re: Connecting 2 Wk3 AD servers in two different location
• Previous by thread: Logout session problem
• Next by thread: Re: New DC not showing up
• Index(es):
  • Date
  • Thread

---

Relevant Pages ADAM auditing - EventID 2521 unable to initialize auditing security system ... getting the following warning in ADAM event log. ... Active Directory was unable to initialize auditing security system. ... (microsoft.public.windows.server.active_directory) Re: File Auditing with Group Policy ... object access auditing as you have described and a script to turn auditing ... start generating shirtloads of audit events you might blow out your logs so ... The GPO doesn't come into this though. ... (microsoft.public.windows.group_policy) Re: File Auditing with Group Policy ... object access auditing as you have described and a script to turn auditing ... start generating shirtloads of audit events you might blow out your logs so ... The GPO doesn't come into this though. ... (microsoft.public.windows.group_policy) Re: Audit Failures/READ_CONTROL SYNCHRONIZE ... You're auditing File and Object Access; you've enabled Auditing on the files ... and you're complaining about audit events ... You can't mask events out of the security log in Event Viewer. ... > Client Domain: HEX21 ... (comp.os.ms-windows.nt.admin.security) Re: report logon / logoff times of users ... I guess my question is - where do I do the auditing you mentioned - I ... You can easily set a Logon/Logoff script pair that does something ... Change "OFF_ON" to the correct word for each script. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2005-12