• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Active Directory Monitoring

C

cpals

Diamond Member
Background info - I've assumed responsibility on an active directory system that isn't setup the best and most of our techs have almost full rights.

We have a tech that seems to be or some other tech keeps putting him in the domain admins group and I'm trying to find out if there is a way to turn on a trace or something to find out who keeps putting him in the group and when.

This is just temporary until I can get all of the security groups fixed so regular techs cannot do this.

Thanks.
 
Why not just take anyone who shouldn't be a domain admin out of the group. That way nobody unauthorized can add that in in the first place? But as far logging it, under the Group Policy management, go into the auditing section for the domain controller and make sure you enable auditing of the item you wish to audit (which in this case I think it's Object Access). But really, if you simply take out anyone who isn't supposed to be a domain admin, the problem should take care of it. Unless of course that person has the administrator password, which I would change anyway to prevent issues like this. Domain admins are very powerful users (unlimited access)
 
Because they still need access to unlock accounts, add computers to the domain, etc and as of right now there is no other group with those types of permissions and I'm not sure what else will be effected by taking them out of those groups. Our active directory setup is kind of a shamble and I'm working on cleaning it up, but for right now I just want a way to track this user's account.
 
Auditing will track those actions. Have you considered delegating authority in AD and restricting access of the techs via that method?
 
Have you tried looking into the security logs of your domain controller? (e.g. Right click on MY COMPUTER and click MANAGE)

It should be classified as "Account Management" in the Category field, with Event ID's of 641 and 632.
 
Originally posted by: ianching
Have you tried looking into the security logs of your domain controller? (e.g. Right click on MY COMPUTER and click MANAGE)

It should be classified as "Account Management" in the Category field, with Event ID's of 641 and 632.
Click to expand...

Yep, that's exactly where I ended up... we only had 'failures' turned on so I turned both failures and successes on.

Thanks.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top