Re: Find who added an account to domain admins group
- From: "Jorge de Almeida Pinto [MVP-DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Sat, 25 Nov 2006 03:11:11 +0100
For AD objects you have two types of auditing:
(1) "Audit Account Management"
(2) "Audit directory service access"
(1) is enable by default for successes and will audit several actions
against security principals (users,groups, computers)
(2) is enable by default for successes and will audit several actions
against all AD objects. However for this to work you still need to define a
SACL (System Access Control List) on a(n) object(s) for WHAT action by WHO
However if you have multiple DCs how do you know where the change occured? Well, that is also
easy. Membership of a group is stored in the MEMBER attribute of the group.
Running the following command will show you where a change originated:
repadmin /showobjmeta <some DC> "<domain admins DN>"
check the originating DSA which is where the change occured. If you have W2K3 and FFL=W2K3 (LVR) you will be able to see the particular forward link which represents the user who was added to the group. If you do not have FFL=W2K3 you should look at the member attribute.
In both cases record the originating DSA, date and time. Then go the DC (DSA) and search the security log (same date and time). If not available anymore you can restore the security event log file and load into the event viewer
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Peter Read" <PeterRead@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:DB882EBD-94EE-4D73-951B-1B2411949194@xxxxxxxxxxxxxxxx
Ok, anyone got any ideas on the following;
An account 'magically' appears in the domain admins group. Event logs are
all set to overwrite as needed (sure, maybe a mistake) and no sign of the
addition in what's online now. Not sure when the account was added to the
group, but am pretty sure it was within the last month.
Is there any moderately quick (i.e. without resorting to restoring DC
backups in a lab environment) way to determine who added the account to the
group, or do I have to chalk this up to experience and keep a tighter watch
on things in the future?
.
- Prev by Date: Re: From Workgroup to Domain
- Next by Date: security template question
- Previous by thread: Re: OU for Autoupdates Off - [WP]
- Next by thread: security template question
- Index(es):
Relevant Pages
|
Loading
