Depends upon what you're organization's security/compliance requirements are but here are some things to think about:
--excessive failed logons, password changes --account policy changes --changes to AD configuration objects (e.g. creation/deletion of sites, site links, AD-integrated DNS zones, schema object mods., FSMO role changes ) --changes to key AD group memberships (e.g. Domain Admins, Enterprise Admins.) or service accounts --changes to key Group Policies --changes to key attributes (e.g. department, phone number, ManagedBy) There's probably a longer list but those are just some that come to mind right away. Depending upon the objects being monitored, and your needs, the native security logs may/may not provide the data you need. In that case, 3rd party tools like those from NetPro, Quest, NetIQ may make sense. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Monday, March 06, 2006 9:01 PM To: [email protected] Subject: [ActiveDir] AD - What to monitor? AD Gurus, Can you guys expand on the topic of what should be monitored in AD? and Why? I am talking in terms of Security events only to protect AD and also protect from attacks of any kind. Obviously, one would monitor failed logon, too many accounts creations etc. What else should we monitor? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
