• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

Identify Adminstrator Account changing User Account Group Membership

We have 15 members in the 'Domain Admins' group.

Someone has been 'adding' certain regular network user accounts to the Domain Admin group.
No one will admit to doing it, but it has been going on for about a month (usually the same users getting added - no pattern to when).

We run AD with all Server 2003 and XP Pro workstations.

How do I identify who is making these changes?
I know the account names of the un-authorized users and authorized admins.

I can get access to the DC Event Logs.

All suggestions appreciated.

Thanks,
Vic
0
younghv
Asked:
younghv
  • 6
  • 4
  • 3
  • +3
4 Solutions
 
itcozaCommented:
You will have to set up a GPO that will enable the security logging on the DC's and what you want to do is to enable (use the default Domain Controller GPO)

Goto:

Computer Configuration -> Windows Settings -> Local Policies -> Audit Policy

Enable the following here:

Audit Account Logon event = Success
Audit Account management = Success, Failure

With this in place you will be able to check the security event log for information pertaining to who is playing with your accounts.

Ragards,
M
0
 
Rich RumbleSecurity SamuraiCommented:
Then get Snare to send you an alert of a new account being created, or purchase GFI's SELM http://www.gfi.com/lanselm/?adv=81&loc=1&adclickid=9547801
Snare: http://www.intersectalliance.com/projects/SnareWindows/index.html
-rich
0
 
Toni UranjekConsultant/TrainerCommented:
After identify user who changes "Domain Admins" group I would suggest that you lower the number of domain administrators and use delegation to delegate appropriate tasks and use Restricted Groups policy settings which will monitor and correct group mebership within 5 minutes on domain controllers
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
younghvAuthor Commented:
Guys,
I have a 2,000 host domain that is part of a million+ host forest.

Auditing is turned on - if I get the logs, what SPECIFICALLY am I looking for (give me an Event ID, for example).

Nothing can be installed on the DC's (Forest Administrators manage them), but as mentioned - I can get either copies of -- or "Read" rights to - the Event Viewer.

I made this a 500 pointer last night because I can't find the specific answer - and the boss wants a solution today.

Bring back some more specifics, please.

Vic
0
 
Toni UranjekConsultant/TrainerCommented:
I believe you should check for event id: 632, Success Audit, Global Group Member Added, if we are talking about adding users to "Domain Admins" group.
0
 
younghvAuthor Commented:
toniur,
I believe that 632 is 'Global Group Created' - with 633 being member added.

Vic
0
 
Toni UranjekConsultant/TrainerCommented:
I have this article in my bookmarks: http://support.microsoft.com/kb/301677
Article applies to W2K, indeed.

If there are new IDs for 2003, pls, let me know.
0
 
Rich RumbleSecurity SamuraiCommented:
GFI or Snare can monitor for such events and send an email to you about that addition. You can use a perl script from M$ to copy event logs off a DC to another pc:
http://support.microsoft.com/kb/318763 (requires Perl to be installed, see activestate perl)
Snare agents have to be installed on the local machine(s) to export the logs to a Syslog server.  GFI however can pull event logs remotely.
http://support.microsoft.com/kb/301677 632 is the event you'd look for, tested with 2003/XP/2000
M$ has something called MOM that will also fit the bill I think: http://www.microsoft.com/mom/downloads/2005/reskit/default.mspx (I've not used it yet)
http://www.microsoft.com/technet/technetmag/issues/2006/09/SecurityEvents/default.aspx
-rich
0
 
younghvAuthor Commented:
All,

Please - no more advice on 'installing' anything.

We are a domain in a rather large forest (check my profile).

Just getting 'Read' permissions of the DC Event Viewer is a significant accomplishment.

Also - to quote the punch line from an old joke -
"I'm in here because I'm crazy, not because I'm stupid."

I have already done the basic Google, MS, and E-E searches.

Again - Active Directory, Server 2003, all XP Pro SP2.

Vic
0
 
Rich RumbleSecurity SamuraiCommented:
To find out who is doing this, you need to monitor the event log and or parse it for a certain event. With such a large network the event logs will take time to parse "by hand", even if you sort the ID field. I was merely suggesting software that can speed your task up to real-time.

>How do I identify who is making these changes?
Event log
>I can get access to the DC Event Logs.
That's step 1 :)
>All suggestions appreciated.
M$ also has a event log parser: http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
-rich
0
 
younghvAuthor Commented:
All,
I'm running out of time here (1100 Hours Local).

Telling me to 'Audit the Event Logs' is not a 500 point solution.

BTW - my earlier statement is correct - at least on this Server 2003 AD:
"I believe that 632 is 'Global Group Created' - with 633 being member added."
0
 
Rich RumbleSecurity SamuraiCommented:
The event log does tell you who created an account and from which pc, which is something you knew already. If you want prevention you likely know the answer to that as well.
I'm not sure how we can help you further.
-rich
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
you might need to audit special permissions, or maybe object access for when members are added to Domain Admins..

I found this..

http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html 
0
 
younghvAuthor Commented:
Hi Sean,
Thank for for checking in.
I saw that link last night.

I think we're just going to be stuck with exporting the logs and having one of our Perl gurus write a parsing script on the whole thing.

The problem is the size of the whole Enterprise (and resultant logs).

I was hoping to find a 'Rifle Shot' instead of the shotgun approach.

Thanks,
Vic
0
 
younghvAuthor Commented:
ALCON,
Thank you for the suggestions, but they just weren't what I was hoping for.

Since today was my last day in uniform, I am now officially a civilian and someone else can worry about this.
Point splits for giving it a good effort.

Regards and Semper Fidelis,
Vic
0
 
LanBuddhaCommented:
I am not sure here but I would maybe tackle this another way.

In group policy set the domain admins group to be a restricted group. You should get failure of priviledge use but you will have to test this.

Not sure if you can follow the link:
http://support.microsoft.com/default.aspx/kb/279301

I had to sign in.

Most admins do not know about this GPO setting and will not be able to figure out why they can not add the user...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 6
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now