Re: Logging OU movement

There is a product that is called Active Administrator which writes all
of your domain controller auditing logs into a SQL database for easy
reporting and filtering of reports, with automatic event notification
to let you know when events are happening within AD.


Herb Martin wrote:
"Joe Brown" <JoeBrown@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7D6A2EA2-88B6-4190-A744-F0714A49A677@xxxxxxxxxxxxxxxx
I personally don't want them to, but management says differently. At the
very least I want to know whose hands to smack.


The answer to the original question is to use Auditing, either
"Account Management" or specific object auditing which is
less preferable but may be the only way to get the info you
need.

Account Management is an easy (one check setting) to get things
like creating and deleting accounts, uses computer groups etc.

I am NOT 100% sure that MOVING from OU to OU is included
in that Account Management set so if you (ever) don't get what
you need from it you must use actual "Directory Service Object"
Auditing (which is very similar to File and other object auditing
but it's completely separate.)

To enable "Directory Service Object" Auditing you two (separate)
things:

Enable the general Directory Service Object Auditing (GPO etc.)

AND

Set Auditing (ACLs) on the actually objects you wish to track using
the PERMISSION->Advanced tab

That latter (in fact the whole idea) is similar to using NTFS advanced
permissions to set auditing on files so if you already understand it for
NTFS there is almost nothing new to learn after you have the basic
concept of "two places": general Audit setting AND the individual
object ACLs.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Tomasz Onyszko" wrote:

Joe Brown wrote:
If I turn on full logging on the DCs will user/computer OU movement be
logged? This is on a 2003 domain. We are having problems with the
desktop
techs moving objects out from under policy to troubleshoot apps then
forgetting to move them back. I'd like to audit who is moving the
objects
and when if possible. If I can't do this with Windows is there another
tool
that can do this? Thanks.

Maybe I will ask different questions - if you don't want them to move
OUs in Your structure maybe You should use ACLs to prevent them from
doing that?

--
Tomasz Onyszko
http://www.w2k.pl/ - (PL)
http://blogs.dirteam.com/blogs/tomek/ - (EN)


.

Relevant Pages

  • Re: Adding Computers to the Domain
    ... You would already have had to have auditing of account management in place to find ... --- Steve ... >> In the Domain Controller Security Policy enable auditing on account ...
    (microsoft.public.win2000.security)
  • Re: Domain admin users audit
    ... I don't receive any account management Event on Domain ... Controllers however i received all logon events, ... >Account Management auditing will cover the ...
    (microsoft.public.win2000.active_directory)
  • Re: Logging OU movement
    ... The answer to the original question is to use Auditing, ... Account Management is an easy to get things ... Set Auditing (ACLs) on the actually objects you wish to track using ...
    (microsoft.public.windows.server.active_directory)
  • Re: domain administrator account password reset
    ... If auditing is enabled (Account Management), it will show you that the ... administrator password has been changed. ... any questions should be posted in the NewsGroup ...
    (microsoft.public.win2000.active_directory)
  • Re: Info Date Account Windows 2000 Server
    ... profile folder as a general clue. ... Otherwise auditing of account management ... account management has been enabled an event will be recorded when a user ...
    (microsoft.public.windows.server.security)
Loading