Re: ADAM Security Logging

On Dec 30, 1:39 pm, "Lee Flight" <l...@xxxxxxxxxxxxxxx> wrote:
Hi

so if you look at the effective local security policy on the ADAM
instance server do you need to see "Audit account logon events"
enabled for Success/Failure - note this is different from
"Audit account management".

Note also that if you are using an account other than Network Service
for the ADAM instance service account you will need to grant that
account "Generate security audits" right in User Rights Assignment
of the ADAM instance server.

You should see something like:
==
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date:  30/12/2008
Time:  18:23:44
User:  S-1-480278077-1953285538-3517650413-1122209673-3100121259-1677648243
Computer: VPC-MEM2
Description:
Logon attempt by: ADAM_instance1
 Logon account: CN=test6,OU=myusers,O=msft
 Source Workstation: 127.0.0.1
 Error Code: 0x0
==

Lee Flight

"drm" <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message

news:48919174-b9e1-4873-94c3-7cba8d16f14f@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Dec 24, 2:46 pm, drm <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote:





On Dec 23, 7:43 pm, "Lee Flight" <l...@xxxxxxxxxxxxxxx> wrote:

Hi

I do not think that the Field Engineering event log entries will
populate
the User column of the ADAM instance event log for a native ADAM
user - I think they need a windows security principal (context) for
that.

To get a security log audit when a native ADAM user connects to
an instance you need "Audit account logon events" enabled in
the server security policy of the server housing the instance.
However you would then have to try and correlate those entries
to the Field Engineering logging.

Beyond that options are directory services audit by setting a SACL
but that would audit all accesses with no regard to thresholds and
off the top of my head I cannot recall the status of audit for native
ADAM users.

Further input from me will likely be delayed due to holidays,
Lee Flight

"drm" <don....@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message

news:112b1028-dd7a-4d4f-b790-077345d0719c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The applications in our location that use our ADAM directories should
return a limited number (less than 20) of entries per query. We would
like to log every query that exceeds that amount. By changing the
Field Engineering Diagnostics setting to 5 and adding a Expensive
Search Results Threshold Parameter, I was able to log the query
information. This works great when an AD account ran the query, since
the account shows up next to User: in the log entry. Unfortunately,
no user information appears when the query is ran using an ADAM
account. I tried changing different parameters to get the login/
binding information to appear in the Event Logs with no luck. Is
there a special parameter that I need to add to create a log entry
whenever someone authenticates to an ADAM directory with an ADAM
account? Is there some other way to determine who submitted the
query?- Hide quoted text -

- Show quoted text -

Thanks. Unfortunately, I need someone on our server management team
to change the domain security policy for our ADAM servers and this
will not happen until next week.

A not-to-distant future project involves using SEIM tools. Hopefully
I can use that to correlate the security logs and the Field
Engineering logs or at least limit the search.- Hide quoted text -

- Show quoted text -

I checked the log entries after the security policy was updated and no
logs were generated.  Do I need to change a registry setting or add a
parameter like I did for the query?

While checking this out, I noticed some Success Audit security log
entries with an Event_ID of 697.  These show up on the test box I am
using and on another server with an ADAM instance where the security
policy was not changed.  I traced the activity to a monitoring tool
that queries the directory to verify that it is functioning properly.
The Username in the log is the service account not the ADAM account.
According to the security policy on that box, it only creates a
success log on Audit account management.- Hide quoted text -

- Show quoted text -

Granting "Generate security audits" rights corrected the problem.
Thanks for your help.

Have a happy and prosperous new year!
.

Relevant Pages

  • Re: ADAM Security Logging
    ... so if you look at the effective local security policy on the ADAM ... "Audit account management". ... account "Generate security audits" right in User Rights Assignment ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Logging
    ... the User column of the ADAM instance event log for a native ADAM ... user - I think they need a windows security principal for that. ...  This works great when an AD account ran the query, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Security Logging
    ... the User column of the ADAM instance event log for a native ADAM ... user - I think they need a windows security principal for that. ...  This works great when an AD account ran the query, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error in ADAM when binding as a ADAM Principal
    ... Very good thought to post the audit. ... policy requirements. ... > I created an administrative account within ADAM and added ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM object auditing
    ... audit is possible in ADAM SP1 but it's fairly coarse-grained. ... check the SACL box, click OK. ... create/modify SACL must have Manage auditing and security log ... Directroy Service audit. ...
    (microsoft.public.windows.server.active_directory)