Solved

Identify Adminstrator Account changing User Account Group Membership

Posted on 2006-11-28
16
392 Views
Last Modified: 2013-12-04
We have 15 members in the 'Domain Admins' group.

Someone has been 'adding' certain regular network user accounts to the Domain Admin group.
No one will admit to doing it, but it has been going on for about a month (usually the same users getting added - no pattern to when).

We run AD with all Server 2003 and XP Pro workstations.

How do I identify who is making these changes?
I know the account names of the un-authorized users and authorized admins.

I can get access to the DC Event Logs.

All suggestions appreciated.

Thanks,
Vic
0
Comment
Question by:younghv
  • 6
  • 4
  • 3
  • +3
16 Comments
 
LVL 13

Assisted Solution

by:itcoza
itcoza earned 100 total points
ID: 18034167
You will have to set up a GPO that will enable the security logging on the DC's and what you want to do is to enable (use the default Domain Controller GPO)

Goto:

Computer Configuration -> Windows Settings -> Local Policies -> Audit Policy

Enable the following here:

Audit Account Logon event = Success
Audit Account management = Success, Failure

With this in place you will be able to check the security event log for information pertaining to who is playing with your accounts.

Ragards,
M
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034370
Then get Snare to send you an alert of a new account being created, or purchase GFI's SELM http://www.gfi.com/lanselm/?adv=81&loc=1&adclickid=9547801
Snare: http://www.intersectalliance.com/projects/SnareWindows/index.html
-rich
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035494
After identify user who changes "Domain Admins" group I would suggest that you lower the number of domain administrators and use delegation to delegate appropriate tasks and use Restricted Groups policy settings which will monitor and correct group mebership within 5 minutes on domain controllers
0
 
LVL 38

Author Comment

by:younghv
ID: 18035826
Guys,
I have a 2,000 host domain that is part of a million+ host forest.

Auditing is turned on - if I get the logs, what SPECIFICALLY am I looking for (give me an Event ID, for example).

Nothing can be installed on the DC's (Forest Administrators manage them), but as mentioned - I can get either copies of -- or "Read" rights to - the Event Viewer.

I made this a 500 pointer last night because I can't find the specific answer - and the boss wants a solution today.

Bring back some more specifics, please.

Vic
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035852
I believe you should check for event id: 632, Success Audit, Global Group Member Added, if we are talking about adding users to "Domain Admins" group.
0
 
LVL 38

Author Comment

by:younghv
ID: 18035870
toniur,
I believe that 632 is 'Global Group Created' - with 633 being member added.

Vic
0
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 100 total points
ID: 18035907
I have this article in my bookmarks: http://support.microsoft.com/kb/301677
Article applies to W2K, indeed.

If there are new IDs for 2003, pls, let me know.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18036453
GFI or Snare can monitor for such events and send an email to you about that addition. You can use a perl script from M$ to copy event logs off a DC to another pc:
http://support.microsoft.com/kb/318763 (requires Perl to be installed, see activestate perl)
Snare agents have to be installed on the local machine(s) to export the logs to a Syslog server.  GFI however can pull event logs remotely.
http://support.microsoft.com/kb/301677 632 is the event you'd look for, tested with 2003/XP/2000
M$ has something called MOM that will also fit the bill I think: http://www.microsoft.com/mom/downloads/2005/reskit/default.mspx (I've not used it yet)
http://www.microsoft.com/technet/technetmag/issues/2006/09/SecurityEvents/default.aspx
-rich
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 38

Author Comment

by:younghv
ID: 18036628
All,

Please - no more advice on 'installing' anything.

We are a domain in a rather large forest (check my profile).

Just getting 'Read' permissions of the DC Event Viewer is a significant accomplishment.

Also - to quote the punch line from an old joke -
"I'm in here because I'm crazy, not because I'm stupid."

I have already done the basic Google, MS, and E-E searches.

Again - Active Directory, Server 2003, all XP Pro SP2.

Vic
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 18036680
To find out who is doing this, you need to monitor the event log and or parse it for a certain event. With such a large network the event logs will take time to parse "by hand", even if you sort the ID field. I was merely suggesting software that can speed your task up to real-time.

>How do I identify who is making these changes?
Event log
>I can get access to the DC Event Logs.
That's step 1 :)
>All suggestions appreciated.
M$ also has a event log parser: http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
-rich
0
 
LVL 38

Author Comment

by:younghv
ID: 18037819
All,
I'm running out of time here (1100 Hours Local).

Telling me to 'Audit the Event Logs' is not a 500 point solution.

BTW - my earlier statement is correct - at least on this Server 2003 AD:
"I believe that 632 is 'Global Group Created' - with 633 being member added."
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038060
The event log does tell you who created an account and from which pc, which is something you knew already. If you want prevention you likely know the answer to that as well.
I'm not sure how we can help you further.
-rich
0
 
LVL 10

Assisted Solution

by:SeanUK777
SeanUK777 earned 100 total points
ID: 18039453
you might need to audit special permissions, or maybe object access for when members are added to Domain Admins..

I found this..

http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
0
 
LVL 38

Author Comment

by:younghv
ID: 18039583
Hi Sean,
Thank for for checking in.
I saw that link last night.

I think we're just going to be stuck with exporting the logs and having one of our Perl gurus write a parsing script on the whole thing.

The problem is the size of the whole Enterprise (and resultant logs).

I was hoping to find a 'Rifle Shot' instead of the shotgun approach.

Thanks,
Vic
0
 
LVL 38

Author Comment

by:younghv
ID: 18042097
ALCON,
Thank you for the suggestions, but they just weren't what I was hoping for.

Since today was my last day in uniform, I am now officially a civilian and someone else can worry about this.
Point splits for giving it a good effort.

Regards and Semper Fidelis,
Vic
0
 
LVL 2

Expert Comment

by:LanBuddha
ID: 18042310
I am not sure here but I would maybe tackle this another way.

In group policy set the domain admins group to be a restricted group. You should get failure of priviledge use but you will have to test this.

Not sure if you can follow the link:
http://support.microsoft.com/default.aspx/kb/279301

I had to sign in.

Most admins do not know about this GPO setting and will not be able to figure out why they can not add the user...
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now