Good article. I'm going to have to peruse it carefully. I've been looking at group membership change notifications, and have found some. It might be enough.
On Mon, May 5, 2008 at 12:20 PM, Christopher Boggs <[EMAIL PROTECTED]> wrote: > Hopefully you've enabled directory service access auditing on the > DC's... You only need to look for success/failure of modify permissions > or modify owner... > > http://mcpmag.com/features/article.asp?editorialsid=233 > > Relevant info about auditing is about halfway down... > > Like the article says though, it doesn't track who was given access or > what access was given, it just says what object, who did it, and at what > time. Should be enough to figure it out, though. > > > > > > -----Original Message----- > From: Kurt Buff [mailto:[EMAIL PROTECTED] > Sent: Monday, May 05, 2008 1:01 PM > To: NT System Admin Issues > Subject: Re: Domain Admin monkey business > > I suspect a contractor brought in to cover while I was gone, but I'm > parsing logs now to see if I can determine that. > > Fortunately, I syslog everything I can, so should be able to track it > down fairly quickly. > > On Mon, May 5, 2008 at 10:59 AM, Steve Ens <[EMAIL PROTECTED]> wrote: > > Fire them all! or at least fifty lashes. > > > > > > > > On Mon, May 5, 2008 at 12:56 PM, Kurt Buff <[EMAIL PROTECTED]> > wrote: > > > Found it. > > > > > > Someone put the group in the Administrators group. > > > > > > I'm quite unhappy, and I'm investigating. > > > > > > > > > > > > > > > On Mon, May 5, 2008 at 10:37 AM, Barsodi.John <[EMAIL PROTECTED]> > > wrote: > > > > Check the Account Operators group? > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: Kurt Buff [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, May 05, 2008 10:30 AM > > > > To: NT System Admin Issues > > > > Subject: Domain Admin monkey business > > > > > > > > I've been on vacation for a couple of weeks, and came back to a > bit of > > > > a situation. The helpdesk staff now seem to be able to control > > > > accounts in the domain - they can set/reset passwords, > disable/enable > > > > accounts, update group memberships, etc. > > > > > > > > I've looked, and domain admins looks as expected. > > > > > > > > Am I correct in believing that the only other way this can happen > is > > > > through OU delegation? If so, how do I check to see what's > changed WRT > > > > delegation - how do I audit that? > > > > > > > > Kurt > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > > > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > > > > > > > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
