Solved

Auditing - RSOP

Posted on 2013-06-10
6
401 Views
Last Modified: 2013-06-25
We just setup a new GPO and enabled auditing on a couple of our servers.  My question really is how do I verify/test this is working properly.  We wanted to document/audit when certain changes occur on the network such as; modification of folders, who logs onto one of these servers and the normal auditing in general.  As a test, I wanted to login to each server, but don't know where I would view/verify each server log in order to make sure this auting is correct.

Lastly, even if auditing is correct, is there a way to get even more granular?  There is one 2003 server and one 2008 R2 server.
0
Comment
Question by:uppercut7141
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39235018
You would check the security event logs.   2008 R2 supports advanced audit config which can let you get more granular.

Do you have a test lab.  You can test this out in a lab and get comfortable.

Thanks

Mike
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39235033
In order to audit you need to first enable audit policy for audit object access on the OU where all PC are placed or in default Domain Policy.
 

Refer below link:
http://www.sevenforums.com/tutorials/123362-audit-log-access-shared-folders.html
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/
http://social.technet.microsoft.com/Forums/en-US/systemcentermonitoring/thread/3b7d3dfa-99e5-4aaf-a0e5-3e7dc4cb6f93/
 

I would also recommend to enable minimal audit setting on files and folder as this will create strom of events.Auditing can generate a large amount of data.Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

You need to check event log to track the activities carried out by users.If file is deleted event id 560(Win2003) is logged in security log.

You also need to enable audit account logon events to tack the logon and account management see this for auditing:
AD DS Auditing Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

You can set use Eventtriggers.exe to send e-mail based on Event IDs for certain critcal event ids:

Getting event log contents by email on an event log trigger
 http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
 
You can also Set up event subscriptions in Windows 2008 to collectthe event.
 http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/f82d4872-601f-47c0-8c84-e2cac269fe00/

Hope this helps
0
 

Author Comment

by:uppercut7141
ID: 39235371
I checked the Event Viewer and received the following Event ID's when I logged/logged off the server as well as making a modication of permission on a specific folder:


4672  -- when I logged onto server

4647, 4634 - when I logged off server



When I added rights to a specific folder for a user, I received event ID:  

4673  -- A priviledged service was called
4688  -- Process creation

does this appear correct?  I was expecting more information from Event viewer.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:uppercut7141
ID: 39235702
Any thoughts on this?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39235717
Yes those are correct, this is a very hand spreadsheet to have that lists all the events

http://www.microsoft.com/en-us/download/details.aspx?id=17871

Thanks

Mike
0
 
LVL 5

Accepted Solution

by:
Pankaj_401 earned 500 total points
ID: 39237487
In Windows Server 2008 there is a possibility to audit changes in Active Directory.

Check out the Link

AD DS Auditing Step-by-Step Guide

 They are audited as events in Security event log as recommended  by mkline71 also you can go for Ad Auditing tool as well for the documentation purpose as these tool have functionality to give a regular report in your desired format for verification purpose
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now