Solved

How can I run an audit on Active directory admin users to see what they have changed.

Posted on 2008-10-27
5
209 Views
Last Modified: 2012-05-05
We have to give admin permissions in Active Directory for people to do user admin tasks like change passwords etc. A particular user who had this role gave himslf rights to open the MD's mailbox in exchange. Is there anyway we can lock this down or even better give them access but audit if they change anything in AD for example give himself access to someones mailbox.

Cheers Guys glad for any help on this
0
Comment
Question by:HBPROCK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 70

Accepted Solution

by:
KCTS earned 125 total points
ID: 22811214
You need to aduit account management and privilaged use for the users see
http://technet.microsoft.com/en-us/library/cc737542.aspx
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22811288

Why are you giving users Domain Admins access just to perform simple tasks such as Reset Passwords, Unlock User Accounts etc.? This completely defies the rule of 'only give just as many permissions as required' - having users as complete Domain Admins when it isn't required is just a major security risk.

I suggest you remove these Domain Admin privileges from users, and add all the users who need the elevated privileges to a Security group. You can then Delegate Control over particular OUs to that security group - so you can delegate the rights to reset a password without the need for users to be a major security risk to your company network. See http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html.

And as for auditing what has already been done, you can use the approach KCTS has posted, but remember you CANNOT enable this and expect to see audit logs from before it was enabled. You can only see the audited logs from the moment of enabling this feature.

-tigermatt
0
 

Author Comment

by:HBPROCK
ID: 23013572
Hi guys thanks for you replys I have turned this on and there already seems to be loads of security logs flying around in event viewer especialy logon logoff etc. I can now see if an admin goes in and resets a password but doesn't seem to show anything if they goint a user and give themselves access to there mailbox. Also is this the only way of logging as it seems that you have to keep an eye on it all the time is there no way it can just email you when a certain event occurs?

Thanks
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 125 total points
ID: 23014471

Natively, Windows uses the Security event log to log audited events - that is what that event log exists for in the first place. There's no native method by which you can set yourself to be emailed if something happens, and it is expected for lots of events to be flying around as a result of auditing. You need to be very careful precisely what you audit - and only audit just enough - to ensure you do not fill the event logs too quickly and cause a detriment to the server performance.

-tigermatt
0
 

Author Closing Comment

by:HBPROCK
ID: 31510240
Ok guys thanks for your help!
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question