Re: Auditing changes in AD objects?

Hello,
Have a look at the follow links as well, you may find any of them usefull.

Audit Policy
This module describes how to set different settings that apply to auditing.
It also provides an example of audit events created by several common tasks.
http://www.microsoft.com/technet/security/guidance/secmod50.mspx

Microsoft Security: Threats and Countermeasures Guide - Audit Policy
An audit log records an entry whenever users perform certain actions that
you specify. For example, the modification of a file or a policy can trigger
an audit entry.
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch03.mspx

Microsoft Windows XP - Audit Policy
This section covers:...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/aptopnode.mspx

814595 - HOW TO: Audit Active Directory Objects in Windows Server 2003
This step-by-step article describes how to use Windows Server 2003 auditing
to track user activities and system-wide events in Active Directory. When
you use Windows Server 2003 auditing, you can track both user activities and
Windows Server 2003...
http://support.microsoft.com/default.aspx?scid=kb;en-us;814595

314955 - HOW TO: Audit Active Directory Objects in Windows 2000
This step-by-step article describes how to use Windows 2000 auditing to
track user activities and system-wide events in Active Directory. When you
use Windows 2000 auditing, you can track both user activities and Windows
2000 activities, which are...
http://support.microsoft.com/default.aspx?scid=kb;en-us;314955

HOW TO: Enable Local Security Auditing in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;248260

HOWTO: Enabling Local Auditing Policies on Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412


--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"Tomasz Onyszko" <T.Onyszko_nospam_@xxxxxx> wrote in message news:uXFdFmD2GHA.4264@xxxxxxxxxxxxxxxxxxxxxxx
Jerry Mickman wrote:
Hi All,

I'm not new to directory services, but I'm from the Novell world, and I've only been working with AD in depth for a few months.

<matrix mode on>
Welcome to the real world
</matrix mode off>


(...)


So, we need to find out who's been changing the attributes on the objects.
You have to implement DS objects access auditing. You have to do two things:
1. Enable directory object access auditing
http://technet2.microsoft.com/WindowsServer/en/Library/20068d03-6473-4e00-84d4-fb1c7cce57d21033.mspx

2. Set SACLs on appropriate OUs, objects etc for groups or individuals which DS access You want to track

more about SACLs:
http://technet2.microsoft.com/WindowsServer/en/Library/2f98f5b2-5e7e-4ff3-83a9-c32cf23329211033.mspx

Novell's eDirectory has two attributes on their objects, creatorsname and modifiersname which records who created the object, and who last modified the object.

Do AD objects have similar attributes, and if so, how can I access them, since DSGET doesn't seem to be able to report their values.

AFAIK AD object has only whenCreated and whenChanged attributes


I'm thinking that what I need to do is run a complete audit on AD, going container by container, and seeing who has rights where. Any helpful hints on how to go about this? Again, I know how I'd do this from within eDirectory, but any helpful hints for AD would be very much appreciated. For instance, it doesn't look like you can use DSGET to report a list of AD trustee assignments for an OU, which would be very helpful.

but You can use dsacls.exe:
http://support.microsoft.com/kb/281146/

or scripts.

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)

.

Relevant Pages

  • Re: Last to Modify
    ... The audit log question is moot though unless you have AD changes being logged ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>To track changes within Active Directory you have to enable auditing. ... >>to track user activities and system-wide events in Active Directory. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Last to Modify
    ... least point the audit log to a specific time? ... > To track changes within Active Directory you have to enable auditing. ... > Microsoft Windows XP - Audit Policy ...
    (microsoft.public.windows.server.active_directory)
  • Re: Deleted User
    ... Hello, If Auditing wasn't configured properly during the moment this doesn't going to help this time, but here is a few resources on how to configure auditing and tacking of changed in Active Directory: ... It also provides an example of audit events created by several common tasks. ... Microsoft Windows XP - Audit Policy ...
    (microsoft.public.windows.server.active_directory)
  • RE: Monitor File Access, Change or Delete
    ... folder with auditing for Windows Server 2003. ... Locate the file or folder that you want to audit. ... and then click the Auditing tab. ...
    (microsoft.public.windows.server.sbs)
  • Re: How can I track user login / logout times?
    ... enable auditing, see the articles below for how to enable auditing: ... It also provides an example of audit events created by several common tasks. ... Microsoft Windows XP - Audit Policy ... to track user activities and system-wide events in Active Directory. ...
    (microsoft.public.windows.server.active_directory)