?
Solved

Auditing domain admin's actions on exchange/OWA  settings

Posted on 2006-06-27
4
Medium Priority
?
258 Views
Last Modified: 2013-12-04
I have a domain admin that I suspect is chaning things on exchange and OWA (on the same server).  Long story short.  I fixed the issue with only having to enter in username and password only in OWA instead of domain\username.  This worked fine for quite a while until I brought up this fix in a meeting. The admin in question said it wouldn't stay fixed and wanted to implement forms based authentication. (we're not ready to go that way yet, eventually we will). Not more than an hour later, it "mysteriously" reverted back to domain\username in OWA.  

How would I go about auditing any changes made to the network, exchange, and any other servers, when the admin is logged on? I really need some help on this and fast.

thanks
0
Comment
Question by:cknoderer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 2000 total points
ID: 16996040
You should turn off the event logging levels, you can access them with secpol.msc or use AD to apply the logging level changes.
http://technet2.microsoft.com/WindowsServer/en/Library/5a86ab0f-c7eb-45ed-9e5e-514173bf15e31033.mspx
You can goto start>run... and type secpol.msc on the run line, then when that window opens goto Local Policies > Audit policy, and start changing the logging of sucess's or failures.
You can employ tools that can alert you to certain events that occur, there are free and paid tools for this.
Free: Snare http://www.intersectalliance.com/projects/SnareWindows/
Pay: GFI SELM http://gfi.com/lanselm/
Those tools will also serve as a backup of the log's, should someone erase them or modify them.
There are others, these two I like very much.
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 16996064
Geez... what a typo... I meant to say, you should turn UP event logging, not off...
-rich
0
 
LVL 1

Author Comment

by:cknoderer
ID: 17009748
Thanks. I will try out the snare program.  I want to nail this weasel to the wall.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17009782
M$ doesn't keep track of IP's but does use machine names. You may consider using the firewall in 2003 to log ip's, or getting a firewall like zonealarm pro that can also log access via ip.
-rich
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month9 days, 14 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question