RE: Auditing a User Account

From: Ricky Morris [MSFT] (rickym_at_online.microsoft.com)
Date: 08/06/04 

Date: Fri, 06 Aug 2004 22:14:37 GMT

Jason,

Interesting question.

Before making any changes to the policies on the SBS 2003 server, you should do the following first:
a. Make an ASR backup of the server.
b. Make a current system state backup of the server.
c. Make a full on-line backup of the Exchange Information Store.
d. Make a full backup of other data, including SharePoint MSDE databases.
e. Install the recovery console on the server and test booting into it.

The ASR backup should be kept fairly up to date...run a fresh one about every 4 weeks.
The System state backup should be made before any change is allowed on the SBS 2003 server, including Windows updates.

You can create a Group Policy which applies to just one user by configuring security filtering to allow just this one user to read the policy,
link to the domain object and configure the auditing settings desired.

Here's a way to accomplish your goal:
1. Open the Group Policy Management Console.
2. Go to the Domains\DomainName\MyBusiness\Computers\SBSComputers OU. (The SBS 2003 computers should all be in this OU.)
3. Right Click on the SBSComputers OU. Select "Create and link a GPO here..."
4. Call the GPO SBSComputers Admin Access Auditing Policy or some other name.
5. Configure the Auditing policy settings for the GPO. Close the Group Policy Editor.
6. Click on the Delegation tab of the GPO. Click on the Advanced... button.
7. Add the user account you want to audit. Give this user Read and Apply Group Policy Rights.
8. Click on the Advanced button of the GPO security Settings.
9. Select the account being audited on the permission tab in the permissions entries window.
10. Click Edit.
11. Make sure that the permissions assigned to the audited account apply to this Object and all Child Objects.
12. Make sure that the following permissions are allowed:
List Contents
Read All Properties
Read Permissions
Apply Group Policy
(There will be two entries for the audited account's permissions here. One will be read permissions, the second will be the apply group
policy permission alone.)
13. OK out of the advanced properties.
14. Test the GPO. You can "what if" the GPO by running the Group Policy results wizard from the GPMC console and specifying the LAN
computer you want to test. Run GPUPDATE /FORCE on the LAN computer first in order to obtain a valid result.

Best Regards,

Ricky Morris
Microsoft Small Business Server Support
This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroups:
SBS v4.x : microsoft.public.backoffice.smallbiz
SBS 2000: microsoft.public.backoffice.smallbiz2000
SBS 2003: microsoft.public.windows.server.sbs

--------------------
Date: Thu, 05 Aug 2004 11:07:33 -0400
From: JW <noneya@noneya.com>
User-Agent: Mozilla Thunderbird 0.7.2 (Windows/20040707)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Subject: Auditing a User Account
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID: <uFURu3veEHA.3632@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.windows.server.sbs
NNTP-Posting-Host: mail.spiritteam.com 64.90.17.117
Lines: 1
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.sbs:93908
X-Tomcat-NG: microsoft.public.windows.server.sbs

Is it possible to Audit a User Account on our Network? We have set up
an administrator user that will be used to logon to client machines and
install software and other fixes. We would like to audit this account.
  We are running WSBS 2003.
Any info on how this can be done is greatly appreciated,

Jason