Solved

Notification in change of ownership

Posted on 2009-03-30
5
254 Views
Last Modified: 2013-11-05
I have a network where we have two domain admins - one of them has full access to all files, while the other does not need to be able to see all documents.  We do trust that other person, however, for legal reasons, we need some sort of "firmer differentiation".  Right now domain admins doesn't have access to any of the secured folders - however, I know that as a domain admin they can easily just take over ownership of a whole folder & then have access to it.  It may be months before I would even know that happens as I do not actively check that.  That said, I am looking to see if there is any application that can be added a file server that notifies me when any ownership or permissions are changed?  (preferally via email or some other traceable method).  This would also help me in documenting changes to share permissions.

Along those same lines, are there any applications out there that can look at a single share (or better yet a full drive on a server) & then do a diagram of the permissions that are on each folder?  I need to work on building a permissions map for my disaster recovery & it would be a lot easier than going through on each folder.

Thanks ahead of time for your help.
0
Comment
Question by:rustyrpage
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
mrmarkfury earned 250 total points
ID: 24024458
You can use auditing on the file server to log changes in permissions:

Go to the file server, go to Administrative tools->local security policy
Go to security settings->local policies->audit policy->and doubleclick "Audit object access"
Under Audit these attempts, check "Success" and click ok.

Then, go to Windows Explorer, Right click the share, and go to the security tab and click advanced.
Go to the auditing tab, add the Domain admins group.
Edit the domain admin groups auditing policy and check "change permissions" and "take ownership" under the success tab.  Make sure "Apply onto" is set to "This folder, subfolders, and files".
Click OK

This will log any changes in the permissions, or take ownership to the file servers Event Log. To view, click Run, and enter eventvwr. The entries will be underneath Security

Hope that helps

0
 
LVL 5

Expert Comment

by:mrmarkfury
ID: 24024466
Also, this may be able to help for the NTFS mapping:
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24024499
The key would be to make it as automatic as possible - we have 20+ file servers that I would have to do this on, so an email would be ideal.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 250 total points
ID: 24025056
Auditing of "privilaged use" will enable you to monitor changes of ownership - nothing automatic though I'm affraid - but you can use EventCombMT to look for audit events across servers http://support.microsoft.com/kb/824209

If you want something do document the permissions try DumpSec http://www.systemtools.com/free.htm

There are also some MS tools that might help see http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24030607
Thanks - that should get me going for the time being - I appreciate it!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now