Solved

Auditing - RSOP

Posted on 2013-06-10
6
407 Views
Last Modified: 2013-06-25
We just setup a new GPO and enabled auditing on a couple of our servers.  My question really is how do I verify/test this is working properly.  We wanted to document/audit when certain changes occur on the network such as; modification of folders, who logs onto one of these servers and the normal auditing in general.  As a test, I wanted to login to each server, but don't know where I would view/verify each server log in order to make sure this auting is correct.

Lastly, even if auditing is correct, is there a way to get even more granular?  There is one 2003 server and one 2008 R2 server.
0
Comment
Question by:uppercut7141
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39235018
You would check the security event logs.   2008 R2 supports advanced audit config which can let you get more granular.

Do you have a test lab.  You can test this out in a lab and get comfortable.

Thanks

Mike
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39235033
In order to audit you need to first enable audit policy for audit object access on the OU where all PC are placed or in default Domain Policy.
 

Refer below link:
http://www.sevenforums.com/tutorials/123362-audit-log-access-shared-folders.html
http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/
http://social.technet.microsoft.com/Forums/en-US/systemcentermonitoring/thread/3b7d3dfa-99e5-4aaf-a0e5-3e7dc4cb6f93/
 

I would also recommend to enable minimal audit setting on files and folder as this will create strom of events.Auditing can generate a large amount of data.Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.

You need to check event log to track the activities carried out by users.If file is deleted event id 560(Win2003) is logged in security log.

You also need to enable audit account logon events to tack the logon and account management see this for auditing:
AD DS Auditing Step-by-Step Guidehttp://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

You can set use Eventtriggers.exe to send e-mail based on Event IDs for certain critcal event ids:

Getting event log contents by email on an event log trigger
 http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
 
You can also Set up event subscriptions in Windows 2008 to collectthe event.
 http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/f82d4872-601f-47c0-8c84-e2cac269fe00/

Hope this helps
0
 

Author Comment

by:uppercut7141
ID: 39235371
I checked the Event Viewer and received the following Event ID's when I logged/logged off the server as well as making a modication of permission on a specific folder:


4672  -- when I logged onto server

4647, 4634 - when I logged off server



When I added rights to a specific folder for a user, I received event ID:  

4673  -- A priviledged service was called
4688  -- Process creation

does this appear correct?  I was expecting more information from Event viewer.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:uppercut7141
ID: 39235702
Any thoughts on this?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39235717
Yes those are correct, this is a very hand spreadsheet to have that lists all the events

http://www.microsoft.com/en-us/download/details.aspx?id=17871

Thanks

Mike
0
 
LVL 5

Accepted Solution

by:
Pankaj_401 earned 500 total points
ID: 39237487
In Windows Server 2008 there is a possibility to audit changes in Active Directory.

Check out the Link

AD DS Auditing Step-by-Step Guide

 They are audited as events in Security event log as recommended  by mkline71 also you can go for Ad Auditing tool as well for the documentation purpose as these tool have functionality to give a regular report in your desired format for verification purpose
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question