Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Identify Adminstrator Account changing User Account Group Membership

Posted on 2006-11-28
16
Medium Priority
?
402 Views
Last Modified: 2013-12-04
We have 15 members in the 'Domain Admins' group.

Someone has been 'adding' certain regular network user accounts to the Domain Admin group.
No one will admit to doing it, but it has been going on for about a month (usually the same users getting added - no pattern to when).

We run AD with all Server 2003 and XP Pro workstations.

How do I identify who is making these changes?
I know the account names of the un-authorized users and authorized admins.

I can get access to the DC Event Logs.

All suggestions appreciated.

Thanks,
Vic
0
Comment
Question by:younghv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +3
16 Comments
 
LVL 13

Assisted Solution

by:itcoza
itcoza earned 400 total points
ID: 18034167
You will have to set up a GPO that will enable the security logging on the DC's and what you want to do is to enable (use the default Domain Controller GPO)

Goto:

Computer Configuration -> Windows Settings -> Local Policies -> Audit Policy

Enable the following here:

Audit Account Logon event = Success
Audit Account management = Success, Failure

With this in place you will be able to check the security event log for information pertaining to who is playing with your accounts.

Ragards,
M
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034370
Then get Snare to send you an alert of a new account being created, or purchase GFI's SELM http://www.gfi.com/lanselm/?adv=81&loc=1&adclickid=9547801
Snare: http://www.intersectalliance.com/projects/SnareWindows/index.html
-rich
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035494
After identify user who changes "Domain Admins" group I would suggest that you lower the number of domain administrators and use delegation to delegate appropriate tasks and use Restricted Groups policy settings which will monitor and correct group mebership within 5 minutes on domain controllers
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 38

Author Comment

by:younghv
ID: 18035826
Guys,
I have a 2,000 host domain that is part of a million+ host forest.

Auditing is turned on - if I get the logs, what SPECIFICALLY am I looking for (give me an Event ID, for example).

Nothing can be installed on the DC's (Forest Administrators manage them), but as mentioned - I can get either copies of -- or "Read" rights to - the Event Viewer.

I made this a 500 pointer last night because I can't find the specific answer - and the boss wants a solution today.

Bring back some more specifics, please.

Vic
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035852
I believe you should check for event id: 632, Success Audit, Global Group Member Added, if we are talking about adding users to "Domain Admins" group.
0
 
LVL 38

Author Comment

by:younghv
ID: 18035870
toniur,
I believe that 632 is 'Global Group Created' - with 633 being member added.

Vic
0
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 400 total points
ID: 18035907
I have this article in my bookmarks: http://support.microsoft.com/kb/301677
Article applies to W2K, indeed.

If there are new IDs for 2003, pls, let me know.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18036453
GFI or Snare can monitor for such events and send an email to you about that addition. You can use a perl script from M$ to copy event logs off a DC to another pc:
http://support.microsoft.com/kb/318763 (requires Perl to be installed, see activestate perl)
Snare agents have to be installed on the local machine(s) to export the logs to a Syslog server.  GFI however can pull event logs remotely.
http://support.microsoft.com/kb/301677 632 is the event you'd look for, tested with 2003/XP/2000
M$ has something called MOM that will also fit the bill I think: http://www.microsoft.com/mom/downloads/2005/reskit/default.mspx (I've not used it yet)
http://www.microsoft.com/technet/technetmag/issues/2006/09/SecurityEvents/default.aspx
-rich
0
 
LVL 38

Author Comment

by:younghv
ID: 18036628
All,

Please - no more advice on 'installing' anything.

We are a domain in a rather large forest (check my profile).

Just getting 'Read' permissions of the DC Event Viewer is a significant accomplishment.

Also - to quote the punch line from an old joke -
"I'm in here because I'm crazy, not because I'm stupid."

I have already done the basic Google, MS, and E-E searches.

Again - Active Directory, Server 2003, all XP Pro SP2.

Vic
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 800 total points
ID: 18036680
To find out who is doing this, you need to monitor the event log and or parse it for a certain event. With such a large network the event logs will take time to parse "by hand", even if you sort the ID field. I was merely suggesting software that can speed your task up to real-time.

>How do I identify who is making these changes?
Event log
>I can get access to the DC Event Logs.
That's step 1 :)
>All suggestions appreciated.
M$ also has a event log parser: http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
-rich
0
 
LVL 38

Author Comment

by:younghv
ID: 18037819
All,
I'm running out of time here (1100 Hours Local).

Telling me to 'Audit the Event Logs' is not a 500 point solution.

BTW - my earlier statement is correct - at least on this Server 2003 AD:
"I believe that 632 is 'Global Group Created' - with 633 being member added."
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038060
The event log does tell you who created an account and from which pc, which is something you knew already. If you want prevention you likely know the answer to that as well.
I'm not sure how we can help you further.
-rich
0
 
LVL 10

Assisted Solution

by:Seelan Naidoo
Seelan Naidoo earned 400 total points
ID: 18039453
you might need to audit special permissions, or maybe object access for when members are added to Domain Admins..

I found this..

http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html 
0
 
LVL 38

Author Comment

by:younghv
ID: 18039583
Hi Sean,
Thank for for checking in.
I saw that link last night.

I think we're just going to be stuck with exporting the logs and having one of our Perl gurus write a parsing script on the whole thing.

The problem is the size of the whole Enterprise (and resultant logs).

I was hoping to find a 'Rifle Shot' instead of the shotgun approach.

Thanks,
Vic
0
 
LVL 38

Author Comment

by:younghv
ID: 18042097
ALCON,
Thank you for the suggestions, but they just weren't what I was hoping for.

Since today was my last day in uniform, I am now officially a civilian and someone else can worry about this.
Point splits for giving it a good effort.

Regards and Semper Fidelis,
Vic
0
 
LVL 2

Expert Comment

by:LanBuddha
ID: 18042310
I am not sure here but I would maybe tackle this another way.

In group policy set the domain admins group to be a restricted group. You should get failure of priviledge use but you will have to test this.

Not sure if you can follow the link:
http://support.microsoft.com/default.aspx/kb/279301

I had to sign in.

Most admins do not know about this GPO setting and will not be able to figure out why they can not add the user...
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question