Additionally, it would be helpful to know how they did what they did and what account they used to do it. I can think of many ways it's possible, but it would be good to know what avenue they are using. You should be able to correlate the change of USN with the Event log entry (audit) of the change. EventcombMT is a useful tool for this and is available at the Microsoft web site as a security tool.
Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, June 11, 2004 10:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security Sounds like the rebuild is a good thing, given the little angels' propensity to do things they shouldn't. The approach I'd take is to monitor the update sequence number on the Domain Admins, Schema Admins, and Enterprise Admins groups. If the USN changes on any of the groups, then you know that *something* about the group changed, and you can start looking at memberships. Wrap this up in a script that you run frequently, and have it notify you when the USN changes. If you search microsoft.public.* newsgroups for "vbscript usnChanged richard mueller" (go to http://groups.google.com/advanced_group_search) you'll find some sample vbscript to grab the USN. Hunter -----Original Message----- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 10:47 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Security More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser > From: "Passo, Larry" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Thu, 10 Jun 2004 20:37:24 -0700 > To: <[EMAIL PROTECTED]> > Subject: RE: [ActiveDir] Security > > I'm curious, do you have any more details? > > -----Original Message----- > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 2:47 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > > don't use the Restricted Groups feature on domain groups, especially > domain admins. This has caused various issues for companies and thus > they've backed away from this approach. However, using restricted > groups on member servers and clients works well. > > \Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry > Sent: Donnerstag, 10. Juni 2004 19:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > If you want to make sure that no one is added to the group you could > make the group a Restricted Group via a GPO. > > If you want to know when a user is added to the group, you could use a > GPO to turn on auditing of "Account Management" but then you would > have to search the audit logs of all of the DCs in the domain to find > the activity. > > Or you could write a script that looked at the group membership and > compared it with a pre-determined list. Then execute the script on a > schedule of your choice. > > -----Original Message----- > From: Aaron Visser [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 9:51 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Security > > I need to know when the Domain Admin Group has a user added to it or > at least have that operation audited, is there anyway to perform this > with GPO or something built into win2k server. > > Thanks, > Aaron Visser > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/