Re: DFS auditing

Thanks! Just what I was looking for.

"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:uVlOiNrHGHA.2704@xxxxxxxxxxxxxxxxxxxxxxx
> on my test W2K3 DC (a default install) the only thing configured when
> talking about auditing is:
> SUCCESS for EVERYONE for write property (2x)
>
> I have configured SUCCESS for EVERYONE for DELETE AND DELETE SUBTREE.
>
> Created a DFS root
> Deleted the DFS ROOT
> The following is what is reported by the security log:
>
> Category: Directory Service Access
> ID: 566
>
>
> Object Operation:
> Object Server: DS
> Operation Type: Object Access
> Object Type: fTDfs
> Object Name:
> CN=TEST$\0ADEL:2f48a914-e2d1-49ea-9534-3ebd33dcee9b,CN=Deleted
> Objects,DC=ADCORP,DC=LAN
> Handle ID: -
> Primary User Name: W2K3DC001$
> Primary Domain: ADCORP
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: Administrator <----------------------this tells you
who
> did it (in my case it was the administrator)
> Client Domain: ADCORP
> Client Logon ID: (0x0,0x30554)
> Accesses: DELETE
>
> Properties:
> DELETE
> fTDfs
>
> Additional Info:
> Additional Info2:
> Access Mask: 0x10000
>
>
>
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> # Jorge de Almeida Pinto #
> MVP Windows Server - Directory Services
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> --------------------------------------------------------------------------
---
> * This posting is provided "AS IS" with no warranties and confers no
rights!
> * Always test before implementing!
> --------------------------------------------------------------------------
---
>
>
> --------------------------------------------------------------------------
---
> "Tim Kalligonis" <tkalligonis@xxxxxxxxxxx> wrote in message
> news:ONHt2%23qHGHA.240@xxxxxxxxxxxxxxxxxxxxxxx
> >I just checked the auditing on the DFS-Configuration and it actually is
set
> >to audit EVERYONE - special. One item it is auditing for is DELETE both
> >success and failure.
> >
> > Do you know what event ID I would need to search for?
> > This event would be on a domain controller, correct?
> > If so, how would I determine which domain controller to look on. In
this
> > domain we have 49 DCs.
> >
> >
> >
> > "Jorge de Almeida Pinto [MVP]"
> > <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
> > news:eu%23%23c3oHGHA.3156@xxxxxxxxxxxxxxxxxxxxxxx
> >>I guess auditing of successfull directory access should be enabled on
the
> >>DCs
> >>
> >> Besides that the container (Dfs-Configuration) that hosts the DFS
> >> namespace should be audited for DELETE actions by the group you want to
> >> be audited. I just checked and that is not enabled by default on that
> >> container
> >>
> >> --
> >>
> >> Cheers,
> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >> # Jorge de Almeida Pinto #
> >> MVP Windows Server - Directory Services
> >> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>
>> -------------------------------------------------------------------------
----
> >> * This posting is provided "AS IS" with no warranties and confers no
> >> rights!
> >> * Always test before implementing!
>
>> -------------------------------------------------------------------------
----
> >>
> >>
>
>> -------------------------------------------------------------------------
----
> >> "Tim Kalligonis" <tkalligonis@xxxxxxxxxxx> wrote in message
> >> news:ei73UAgHGHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
> >>> Windows 2003 all around on the DCs - 2003 Domain and Forest functional
> >>> level
> >>>
> >>> We delegated control to a DFS root so the division could manage their
> >>> own DFS root.
> >>>
> >>> Well someone deleted the DFS root which caused the 200+ DFS links to
> >>> disappear as well.
> >>>
> >>> We need to determine who did it.
> >>>
> >>> I've tested in our lab creating and deleting a DFS root and nothing
gets
> >>> logged to the event logs. How can I determine who deleted the DFS
root?
> >>>
> >>> Thanks
> >>> Tim
> >>>
> >>
> >>
> >
> >
>
>


.

Relevant Pages

  • Re: DFS auditing
    ... I have configured SUCCESS for EVERYONE for DELETE AND DELETE SUBTREE. ... Deleted the DFS ROOT ... >I just checked the auditing on the DFS-Configuration and it actually is set ... >> MVP Windows Server - Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Success Audit (about 50/minute!)
    ... You want to change your auditing settings to not audit so many successes. ... successful file accesses being audited, then you can remove file success ... > Client User Name: - ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Auditing Vs Performance
    ... Since you are more interested in Failures, why not configure editing for that alone. ... there may be less failures and than success which will help your logs volume ... did not complete in the required time and I had to terminate it and remove ... My question is this...is there a way to enable auditing and at the same time do ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS entry deletion tracking
    ... We have the following auditing in place on our Domain controllers: ... Audit account management Success, Failure ... Audit object access Success, Failure ...
    (microsoft.public.windows.server.dns)