Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Notification in change of ownership

Posted on 2009-03-30
5
Medium Priority
?
261 Views
Last Modified: 2013-11-05
I have a network where we have two domain admins - one of them has full access to all files, while the other does not need to be able to see all documents.  We do trust that other person, however, for legal reasons, we need some sort of "firmer differentiation".  Right now domain admins doesn't have access to any of the secured folders - however, I know that as a domain admin they can easily just take over ownership of a whole folder & then have access to it.  It may be months before I would even know that happens as I do not actively check that.  That said, I am looking to see if there is any application that can be added a file server that notifies me when any ownership or permissions are changed?  (preferally via email or some other traceable method).  This would also help me in documenting changes to share permissions.

Along those same lines, are there any applications out there that can look at a single share (or better yet a full drive on a server) & then do a diagram of the permissions that are on each folder?  I need to work on building a permissions map for my disaster recovery & it would be a lot easier than going through on each folder.

Thanks ahead of time for your help.
0
Comment
Question by:rustyrpage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 5

Accepted Solution

by:
mrmarkfury earned 1000 total points
ID: 24024458
You can use auditing on the file server to log changes in permissions:

Go to the file server, go to Administrative tools->local security policy
Go to security settings->local policies->audit policy->and doubleclick "Audit object access"
Under Audit these attempts, check "Success" and click ok.

Then, go to Windows Explorer, Right click the share, and go to the security tab and click advanced.
Go to the auditing tab, add the Domain admins group.
Edit the domain admin groups auditing policy and check "change permissions" and "take ownership" under the success tab.  Make sure "Apply onto" is set to "This folder, subfolders, and files".
Click OK

This will log any changes in the permissions, or take ownership to the file servers Event Log. To view, click Run, and enter eventvwr. The entries will be underneath Security

Hope that helps

0
 
LVL 5

Expert Comment

by:mrmarkfury
ID: 24024466
Also, this may be able to help for the NTFS mapping:
http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24024499
The key would be to make it as automatic as possible - we have 20+ file servers that I would have to do this on, so an email would be ideal.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 1000 total points
ID: 24025056
Auditing of "privilaged use" will enable you to monitor changes of ownership - nothing automatic though I'm affraid - but you can use EventCombMT to look for audit events across servers http://support.microsoft.com/kb/824209

If you want something do document the permissions try DumpSec http://www.systemtools.com/free.htm

There are also some MS tools that might help see http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24030607
Thanks - that should get me going for the time being - I appreciate it!
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question