Probably. Never said it was fool-proof but only that it addresses a small part of the total picture. I will let my cohorts speak to the specifics to the process if they choose. Ideally, your admin and security model would prevent any un-authorized changes but the 8th and 9th layer sometimes comes into play... Fortunately we don't have that problem
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 5:24 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group How does it work? Do you use LDAP to look at the membership? If so, you probably have a whole in the implementation. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Thursday, October 06, 2005 2:20 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group We run a simple process that monitors the members of elevated privilege groups. Any changes trigger a notification. Doesn't address the prevention but will allow you to capture the occurrence and deal with it appropriately. Diane -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Thursday, October 06, 2005 10:00 AM To: [email protected] Subject: [ActiveDir] Modifying Domain Admins & Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
