Re: DFS auditing

From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Sat, 21 Jan 2006 18:52:01 +0100

on my test W2K3 DC (a default install) the only thing configured when
talking about auditing is:
SUCCESS for EVERYONE for write property (2x)

I have configured SUCCESS for EVERYONE for DELETE AND DELETE SUBTREE.

Created a DFS root
Deleted the DFS ROOT
The following is what is reported by the security log:

Category: Directory Service Access
ID: 566

Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: fTDfs
Object Name:
CN=TEST$\0ADEL:2f48a914-e2d1-49ea-9534-3ebd33dcee9b,CN=Deleted
Objects,DC=ADCORP,DC=LAN
Handle ID: -
Primary User Name: W2K3DC001$
Primary Domain: ADCORP
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator <----------------------this tells you who
did it (in my case it was the administrator)
Client Domain: ADCORP
Client Logon ID: (0x0,0x30554)
Accesses: DELETE

Properties:
DELETE
fTDfs

Additional Info:
Additional Info2:
Access Mask: 0x10000

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------

-----------------------------------------------------------------------------
"Tim Kalligonis" <tkalligonis@xxxxxxxxxxx> wrote in message
news:ONHt2%23qHGHA.240@xxxxxxxxxxxxxxxxxxxxxxx
>I just checked the auditing on the DFS-Configuration and it actually is set
>to audit EVERYONE - special. One item it is auditing for is DELETE both
>success and failure.
>
> Do you know what event ID I would need to search for?
> This event would be on a domain controller, correct?
> If so, how would I determine which domain controller to look on. In this
> domain we have 49 DCs.
>
>
>
> "Jorge de Almeida Pinto [MVP]"
> <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
> news:eu%23%23c3oHGHA.3156@xxxxxxxxxxxxxxxxxxxxxxx
>>I guess auditing of successfull directory access should be enabled on the
>>DCs
>>
>> Besides that the container (Dfs-Configuration) that hosts the DFS
>> namespace should be audited for DELETE actions by the group you want to
>> be audited. I just checked and that is not enabled by default on that
>> container
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> # Jorge de Almeida Pinto #
>> MVP Windows Server - Directory Services
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>> "Tim Kalligonis" <tkalligonis@xxxxxxxxxxx> wrote in message
>> news:ei73UAgHGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
>>> Windows 2003 all around on the DCs - 2003 Domain and Forest functional
>>> level
>>>
>>> We delegated control to a DFS root so the division could manage their
>>> own DFS root.
>>>
>>> Well someone deleted the DFS root which caused the 200+ DFS links to
>>> disappear as well.
>>>
>>> We need to determine who did it.
>>>
>>> I've tested in our lab creating and deleting a DFS root and nothing gets
>>> logged to the event logs. How can I determine who deleted the DFS root?
>>>
>>> Thanks
>>> Tim
>>>
>>
>>
>
>

.

Follow-Ups:
- Re: DFS auditing
  - From: Tim Kalligonis

References:
- DFS auditing
  - From: Tim Kalligonis
- Re: DFS auditing
  - From: Jorge de Almeida Pinto [MVP]
- Re: DFS auditing
  - From: Tim Kalligonis

Prev by Date: Re: DFS auditing
Next by Date: Re: Upgrade W2K to W2K3
Previous by thread: Re: DFS auditing
Next by thread: Re: DFS auditing
Index(es):
- Date
- Thread

Relevant Pages

Re: Find who renamed an OU
... only if "Directory Services Access" auditing is ENABLED for success ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... In our Group Policy I had all auditing turned on for Success, ...
(microsoft.public.windows.server.active_directory)
Re: DFS auditing
... > on my test W2K3 DC the only thing configured when ... > I have configured SUCCESS for EVERYONE for DELETE AND DELETE SUBTREE. ... > Category: Directory Service Access ... >>I just checked the auditing on the DFS-Configuration and it actually is ...
(microsoft.public.windows.server.active_directory)
Re: Success Audit (about 50/minute!)
... You want to change your auditing settings to not audit so many successes. ... successful file accesses being audited, then you can remove file success ... > Client User Name: - ...
(microsoft.public.windowsxp.security_admin)
Re: DFS auditing
... I just checked the auditing on the DFS-Configuration and it actually is set ... how would I determine which domain controller to look on. ... >> We delegated control to a DFS root so the division could manage their own ...
(microsoft.public.windows.server.active_directory)
Re: Auditing Vs Performance
... Since you are more interested in Failures, why not configure editing for that alone. ... there may be less failures and than success which will help your logs volume ... did not complete in the required time and I had to terminate it and remove ... My question is this...is there a way to enable auditing and at the same time do ...
(microsoft.public.windows.server.active_directory)