Solved

Identify Adminstrator Account changing User Account Group Membership

Posted on 2006-11-28
16
398 Views
Last Modified: 2013-12-04
We have 15 members in the 'Domain Admins' group.

Someone has been 'adding' certain regular network user accounts to the Domain Admin group.
No one will admit to doing it, but it has been going on for about a month (usually the same users getting added - no pattern to when).

We run AD with all Server 2003 and XP Pro workstations.

How do I identify who is making these changes?
I know the account names of the un-authorized users and authorized admins.

I can get access to the DC Event Logs.

All suggestions appreciated.

Thanks,
Vic
0
Comment
Question by:younghv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +3
16 Comments
 
LVL 13

Assisted Solution

by:itcoza
itcoza earned 100 total points
ID: 18034167
You will have to set up a GPO that will enable the security logging on the DC's and what you want to do is to enable (use the default Domain Controller GPO)

Goto:

Computer Configuration -> Windows Settings -> Local Policies -> Audit Policy

Enable the following here:

Audit Account Logon event = Success
Audit Account management = Success, Failure

With this in place you will be able to check the security event log for information pertaining to who is playing with your accounts.

Ragards,
M
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18034370
Then get Snare to send you an alert of a new account being created, or purchase GFI's SELM http://www.gfi.com/lanselm/?adv=81&loc=1&adclickid=9547801
Snare: http://www.intersectalliance.com/projects/SnareWindows/index.html
-rich
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035494
After identify user who changes "Domain Admins" group I would suggest that you lower the number of domain administrators and use delegation to delegate appropriate tasks and use Restricted Groups policy settings which will monitor and correct group mebership within 5 minutes on domain controllers
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 38

Author Comment

by:younghv
ID: 18035826
Guys,
I have a 2,000 host domain that is part of a million+ host forest.

Auditing is turned on - if I get the logs, what SPECIFICALLY am I looking for (give me an Event ID, for example).

Nothing can be installed on the DC's (Forest Administrators manage them), but as mentioned - I can get either copies of -- or "Read" rights to - the Event Viewer.

I made this a 500 pointer last night because I can't find the specific answer - and the boss wants a solution today.

Bring back some more specifics, please.

Vic
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 18035852
I believe you should check for event id: 632, Success Audit, Global Group Member Added, if we are talking about adding users to "Domain Admins" group.
0
 
LVL 38

Author Comment

by:younghv
ID: 18035870
toniur,
I believe that 632 is 'Global Group Created' - with 633 being member added.

Vic
0
 
LVL 31

Assisted Solution

by:Toni Uranjek
Toni Uranjek earned 100 total points
ID: 18035907
I have this article in my bookmarks: http://support.microsoft.com/kb/301677
Article applies to W2K, indeed.

If there are new IDs for 2003, pls, let me know.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18036453
GFI or Snare can monitor for such events and send an email to you about that addition. You can use a perl script from M$ to copy event logs off a DC to another pc:
http://support.microsoft.com/kb/318763 (requires Perl to be installed, see activestate perl)
Snare agents have to be installed on the local machine(s) to export the logs to a Syslog server.  GFI however can pull event logs remotely.
http://support.microsoft.com/kb/301677 632 is the event you'd look for, tested with 2003/XP/2000
M$ has something called MOM that will also fit the bill I think: http://www.microsoft.com/mom/downloads/2005/reskit/default.mspx (I've not used it yet)
http://www.microsoft.com/technet/technetmag/issues/2006/09/SecurityEvents/default.aspx
-rich
0
 
LVL 38

Author Comment

by:younghv
ID: 18036628
All,

Please - no more advice on 'installing' anything.

We are a domain in a rather large forest (check my profile).

Just getting 'Read' permissions of the DC Event Viewer is a significant accomplishment.

Also - to quote the punch line from an old joke -
"I'm in here because I'm crazy, not because I'm stupid."

I have already done the basic Google, MS, and E-E searches.

Again - Active Directory, Server 2003, all XP Pro SP2.

Vic
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 200 total points
ID: 18036680
To find out who is doing this, you need to monitor the event log and or parse it for a certain event. With such a large network the event logs will take time to parse "by hand", even if you sort the ID field. I was merely suggesting software that can speed your task up to real-time.

>How do I identify who is making these changes?
Event log
>I can get access to the DC Event Logs.
That's step 1 :)
>All suggestions appreciated.
M$ also has a event log parser: http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
-rich
0
 
LVL 38

Author Comment

by:younghv
ID: 18037819
All,
I'm running out of time here (1100 Hours Local).

Telling me to 'Audit the Event Logs' is not a 500 point solution.

BTW - my earlier statement is correct - at least on this Server 2003 AD:
"I believe that 632 is 'Global Group Created' - with 633 being member added."
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 18038060
The event log does tell you who created an account and from which pc, which is something you knew already. If you want prevention you likely know the answer to that as well.
I'm not sure how we can help you further.
-rich
0
 
LVL 10

Assisted Solution

by:SeanUK777
SeanUK777 earned 100 total points
ID: 18039453
you might need to audit special permissions, or maybe object access for when members are added to Domain Admins..

I found this..

http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html 
0
 
LVL 38

Author Comment

by:younghv
ID: 18039583
Hi Sean,
Thank for for checking in.
I saw that link last night.

I think we're just going to be stuck with exporting the logs and having one of our Perl gurus write a parsing script on the whole thing.

The problem is the size of the whole Enterprise (and resultant logs).

I was hoping to find a 'Rifle Shot' instead of the shotgun approach.

Thanks,
Vic
0
 
LVL 38

Author Comment

by:younghv
ID: 18042097
ALCON,
Thank you for the suggestions, but they just weren't what I was hoping for.

Since today was my last day in uniform, I am now officially a civilian and someone else can worry about this.
Point splits for giving it a good effort.

Regards and Semper Fidelis,
Vic
0
 
LVL 2

Expert Comment

by:LanBuddha
ID: 18042310
I am not sure here but I would maybe tackle this another way.

In group policy set the domain admins group to be a restricted group. You should get failure of priviledge use but you will have to test this.

Not sure if you can follow the link:
http://support.microsoft.com/default.aspx/kb/279301

I had to sign in.

Most admins do not know about this GPO setting and will not be able to figure out why they can not add the user...
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question