Re: Is it possible to audit Domain Global Group in AD?

Well, you could check the server's local groups and find out what's a member
of them.

As was mentioned below, the audit trail would be on the server where the
domain group was added to the local group. There is no record in the domain
that the group was added to something.

All that's required to add to the local group is admin privs on (could be
operator privs) the local server/workstation and user access in the domain.
What would be the point of auditing that at the domain level?

Make sense?


"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CE71EBBC-F588-4EC5-98FF-ADBAAD12A1D4@xxxxxxxxxxxxxxxx
Well..... that is not what i want and i knew that can be done. Because the
problem is i do not know which objects are being authenticated through
Global
Domain group. Since i just created the Domain group and the Developers and
QAs building new servers as member of the Domain and add the Global Domain
group to the local group of their member servers. My question is there a
way
to find out which objects and servers are being mapped to Global Domain
group?

Thanks




"Roger Abell [MVP]" wrote:

Auditing is done on the system where the audited is.
You are asking:
Can I in AD set auditing on a group so that it
triggers an audit event "on use" of that group?
Yes, you can but only for the predefined uses (read, change, . . .)
but not for "made member of", let alone "applied in ACL of
resource X on server S via membership is S\localgroup"

Roger

"Mugen" <Mugen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:81F4377D-DF40-494F-B7D1-85BDC1E9E2EA@xxxxxxxxxxxxxxxx
Hi,
We have a Windows 2003 AD with Single domain here. I have created some
Domain Global groups (Default setting when you create a group) for our
QAs,
Developers. They setup bunch of Windows servers and add our Domain
Global
groups to the local groups of their Windows servers and mapped to
Windows
server objects (like folder, files etc). I was wondering is there a
way
for
me to find out which objects like folder, files etc that are mapping to
their
Windows servers as well as which servers etc. I checked auditing from
group
policy but that's only for if you know which objects and servers to
audit.

Thanks.
Mugen








.

Relevant Pages

  • Re: Is it possible to audit Domain Global Group in AD?
    ... and QAs to building these servers, and they are pretty much adding very ... of the Domain global group to the objects ... QAs building new servers as member of the Domain and add the Global ... They setup bunch of Windows servers and add our Domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Is it possible to audit Domain Global Group in AD?
    ... I don't own those local member servers and we have more than one Developers ... of the Domain global group to the objects ... They setup bunch of Windows servers and add our Domain ...
    (microsoft.public.windows.server.active_directory)
  • Re: Is it possible to audit Domain Global Group in AD?
    ... and QAs to building these servers, and they are pretty much adding very ... of the Domain global group to the objects ... QAs building new servers as member of the Domain and add the Global ... They setup bunch of Windows servers and add our Domain ...
    (microsoft.public.windows.server.active_directory)
  • RE: Permissions
    ... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ...
    (microsoft.public.win2000.security)
  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
Loading