Re: ADAM Security Logging

On Dec 23, 7:43 pm, "Lee Flight" <l...@xxxxxxxxxxxxxxx> wrote:
Hi

I do not think that the Field Engineering event log entries will populate
the User column of the ADAM instance event log for a native ADAM
user - I think they need a windows security principal (context) for that.

To get a security log audit when a native ADAM user connects to
an instance you need "Audit account logon events" enabled in
the server security policy of the server housing the instance.
However you would then have to try and correlate those entries
to the Field Engineering logging.

Beyond that options are directory services audit by setting a SACL
but that would audit all accesses with no regard to thresholds and
off the top of my head I cannot recall the status of audit for native
ADAM users.

Further input from me will likely be delayed due to holidays,
Lee Flight

"drm" <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message

news:112b1028-dd7a-4d4f-b790-077345d0719c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



The applications in our location that use our ADAM directories should
return a limited number (less than 20) of entries per query.  We would
like to log every query that exceeds that amount.  By changing the
Field Engineering Diagnostics setting to 5 and adding a Expensive
Search Results Threshold Parameter, I was able to log the query
information.  This works great when an AD account ran the query, since
the account shows up next to User: in the log entry.  Unfortunately,
no user information appears when the query is ran using an ADAM
account.  I tried changing different parameters to get the login/
binding information to appear in the Event Logs with no luck.  Is
there a special parameter that I need to add to create a log entry
whenever someone authenticates to an ADAM directory with an ADAM
account?  Is there some other way to determine who submitted the query?- Hide quoted text -

- Show quoted text -

Thanks. Unfortunately, I need someone on our server management team
to change the domain security policy for our ADAM servers and this
will not happen until next week.

A not-to-distant future project involves using SEIM tools. Hopefully
I can use that to correlate the security logs and the Field
Engineering logs or at least limit the search.
.

Relevant Pages

  • Re: ADAM bind proxy failing after w2k to w2k3 domain upgrade
    ... Lee - where could I have seen this error? ... system's event log? ... >> new group policy setting that is affecting either the domain or the ADAM ... >> ADAM uses LsaLookupSids while connecting to the local LSA. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Authentication in ASP.NET
    ... So often it's just natural reflex to look in the event log that I know I ... > Typically in ASP.NET, to do an authentication via LDAP bind to ADAM, you ... >> Authentication is a big issue for me right now.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Logging
    ... I do not think that the Field Engineering event log entries will populate ... the User column of the ADAM instance event log for a native ADAM ... return a limited number of entries per query. ... This works great when an AD account ran the query, ...
    (microsoft.public.windows.server.active_directory)
  • Re: About ADAM and SP1 windows 2003
    ... what do you mean that ADAM not support windows ... ADAM supports W2K3 SP1, if you check the ADAM event log you will ... Service Control Event Id 1000 in the ADAM instance event log. ...
    (microsoft.public.windows.server.active_directory)
  • RE: filtering table data on a form with combo boxes
    ... "Adam" wrote: ... I'll leave it at this so far, to see if i am helping, and to ensure you can ... below the combo boxes. ... the query I get an error message "compile error. ...
    (microsoft.public.access.gettingstarted)
Loading