Thanks,
I found a few of these and I believe event ID 565,556 is the one I am
looking for, but need to turn on the Success of Directory Service Access
for my Networking and Helpdesk and Domain Administrators groups and see
if all access is tracked accordingly.
Right now I am getting the following from EventComb for the failures,
which really doesn't mean a hill of beans to me ( figure I would have
seen CN=XXX,OU=XXX,Domain=XXX,Domain=OXX,
566,AUDIT FAILURE,Security,Wed Dec 19 07:19:07 2007,Domain\User,Object
Operation: Operation Type DS Object Type: Object Access
Object Name: %{bf967a86-0de6-11d0-a285-00aa003049e2} Handle ID:
%{6d2ce8d9-5877-40ad-9b0d-0e78cb5db32a} Primary User Name: -
Primary Domain: DC1$ Primary Logon ID: Domain Client User Name:
(0x0,0x3E7) Client Domain: User Client Logon ID: LSMASTER
Accesses (0x0,0x6BCB7A2D) Properties: Control Access
Additional Info: --- %{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
%{612cb747-c0e8-4f92-9221-fdd5f15b550d}
%{bf967a86-0de6-11d0-a285-00aa003049e2}
Anything additional you can lend on this, it looks like I am going to
have a long-painful AD lockdown project in front of me.
Z
-----Original Message-----
From: Michael B. Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, December 24, 2007 12:01 PM
To: NT System Admin Issues
Subject: RE: Question on Directory Services Auditing
http://www.windowsitpro.com/Articles/ArticleID/15361/15361.html?Ad=1
or
http://support.microsoft.com/kb/174074
And this one, for good measure:
http://support.microsoft.com/kb/814595
Regards,
Michael B. Smith
MCSE/Exchange MVP
http://TheEssentialExchange.com
-----Original Message-----
From: Ziots, Edward [mailto:[EMAIL PROTECTED]
Sent: Monday, December 24, 2007 11:37 AM
To: NT System Admin Issues
Subject: Question on Directory Services Auditing
Hey List,
I got a quick question, I need to start auditing for Active Directory
Success actions accordingly, since someone did something silly and moved
an OU when they shouldn't have.
I know I have to enable the Directory Service Access under the Audit
Policy in the Domain Controllers OU Group Policy, but what Event ID's
should I be looking for in the Domain Controller logs afterwards.
Anyone that can point me in the right directory I would be grateful,
Z
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
