Active Directory Monitoring

Toggle sidebar Toggle sidebar
C

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
Background info - I've assumed responsibility on an active directory system that isn't setup the best and most of our techs have almost full rights.

We have a tech that seems to be or some other tech keeps putting him in the domain admins group and I'm trying to find out if there is a way to turn on a trace or something to find out who keeps putting him in the group and when.

This is just temporary until I can get all of the security groups fixed so regular techs cannot do this.

Thanks.
 
K

kevnich2

Platinum Member
Apr 10, 2004
2,465
8
76
Why not just take anyone who shouldn't be a domain admin out of the group. That way nobody unauthorized can add that in in the first place? But as far logging it, under the Group Policy management, go into the auditing section for the domain controller and make sure you enable auditing of the item you wish to audit (which in this case I think it's Object Access). But really, if you simply take out anyone who isn't supposed to be a domain admin, the problem should take care of it. Unless of course that person has the administrator password, which I would change anyway to prevent issues like this. Domain admins are very powerful users (unlimited access)
 
C

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
Because they still need access to unlock accounts, add computers to the domain, etc and as of right now there is no other group with those types of permissions and I'm not sure what else will be effected by taking them out of those groups. Our active directory setup is kind of a shamble and I'm working on cleaning it up, but for right now I just want a way to track this user's account.
 

dphantom

Diamond Member
Jan 14, 2005
4,763
327
126
Auditing will track those actions. Have you considered delegating authority in AD and restricting access of the techs via that method?
 
I

ianching

Member
May 28, 2001
151
0
0
Have you tried looking into the security logs of your domain controller? (e.g. Right click on MY COMPUTER and click MANAGE)

It should be classified as "Account Management" in the Category field, with Event ID's of 641 and 632.
 
C

cpals

Diamond Member
Mar 5, 2001
4,494
0
76
Originally posted by: ianching
Have you tried looking into the security logs of your domain controller? (e.g. Right click on MY COMPUTER and click MANAGE)

It should be classified as "Account Management" in the Category field, with Event ID's of 641 and 632.
Click to expand...

Yep, that's exactly where I ended up... we only had 'failures' turned on so I turned both failures and successes on.

Thanks.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom
sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |