I need an active directory expert

ITGIT
ITGIT used Ask the Experts™
on
I need to track changes made in the AD to user accounts
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
In the AD MMC snap-in, configure the domain-wide security GroupPolicy to "Audit directory service access" and "Audit account management" on both Success and Failure.

All changes done to user accounts will be logged into the EventLog.
Awarded 2009
Top Expert 2010

Commented:
There is a great technet article here on how to configure auditing of active directory objects: http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
You don't need to audit Directory Access - that would produce lots of spurious stuff - id you just want to record when someone sucessfully cnages an account then just enable Account Management for
SUCCESS

see http://windowsitpro.com/article/articleid/84079/jsi-tip-9584-how-can-i-audit-account-management-events.html
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Awarded 2009
Top Expert 2010

Commented:
I personally would want to know if someone was trying to change it but didn't have access to and would therefore result in a failure.

Personal preference I guess :-)

Author

Commented:
Ok got it up an running under domain policy.  Is there any programs available that can report on changes made to someones account and by whom or ip address
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
In that case audit FAILURE as well (or instead of SUCCESS, you can have either, both or none), the audit log will reveal the user and computer involved
Awarded 2009
Top Expert 2010

Commented:
As per my first post then? :-)

Author

Commented:
Dumb question then I suppose

Q: How do I perform and review the audit to uncover the data?

 
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:
Look in the security log in the event viewer
Brian PiercePhotographer
Awarded 2007
Top Expert 2008

Commented:

Author

Commented:
I dont see anything in the event log that would tell me who was affected and who performed the change
Commented:
There are two additional tools that you really should look at:

One logs the information you want:
http://www.petri.co.il/add_user_account_information_to_dsa.htm
________________________________________________________________
The second, adds additional account information on the AD account.
http://www.petri.co.il/images/acctinfo1.gif

""Note: You should note a nasty "feature" (as Microsoft sometimes calls it) - When you perform a search for a user through the regular Find function, the results won't let you see this additional information for the user's object. You'll need to manually browse to the user object and then double-click it..""

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial