Microsoft Audit Collection System, formerly known by the codename "DAD", is a system for consolidating and analyzing security event logs.
It is a client/server application consisting of an agent, which is implemented as a service running on the monitored machine, and a collector, which runs as a service on a machine dedicated to that task. The agent monitors the security log for changes and transmits new events to the collector as they occur. The collector breaks the events apart and loads them into a database in a manner optimized for later analysis. -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 29, 2003 10:43 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] I'm appearantly way behind. WTF is MACS? -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Diane Ayers [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] > > > I was waiting for "BRO" and "SIS" to come along too after MOM and DAD. > Maybe they were to close to "BOB" and made someone nervous :-) > > Diane > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Tuesday, October 28, 2003 6:28 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] > > Shawn, > > Separate verification that what Gil is telling you is correct. I've > needed to set up just the same to manage some issues with an Admin > that had rights that he really shouldn't have, yet was mandated by > management that he have them. The only way to convince management was > to prove that the problems being caused were coming from the careless > actions of the Admin. > > On another note, code name for MACS before the name was settled on - > DAD..... Meant to 'co-exist' with MOM, but Distributed Auditing Device > was not a real Marketing win..... Not that I think Microsoft Audit > Collection Server is all that much better... > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 4:16 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] > > File and Object auditing on the Sysvol and Policies directory > explicitly should do the trick???...At least this would show who was > making changes. > At that point I can confront that person.. > > Sound correct? > > Thanks Gil > > > Shawn > > > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 5:12 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] > > You can set up auditing in AD on the GPOs themselves by setting the > SACLs... > The accesses will show up in the security audit log. You can likewise > set up auditing on the SYSVOL to track changes on the files. Use your > favorite event log collector (e.g., Microsoft's MACS, which is in > Beta). > But translating the resulting mess of event log entries into something > meaningful will be a challenge. And you won't be able to tell > specifically what was changed.... Just that it was changed. > > -gil > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 3:00 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] > > > Great, but anything built in to the OS? Anyway I can point a finger > at a DBA that is poking is hands where they do not belong. Please > don't ask why they have rights....aarrgghhh > > > Shawn > > > -----Original Message----- > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 4:46 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] > > FullArmor FAZAM GPO Auditor... www.fullarmor.com > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Tuesday, October 28, 2003 2:26 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] > > > I believe a GPO was modified by someone with the appropriate 'rights', > but that person did not communicate changes were to be made and now we > see some strange issues.... > > Issues are not the point of this question. Does anyone know of a way > to determine who modified the GPO? > > Thanks in advance, > Shawn > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
