Solved

How to audit changes to AD objects/accounts?

Posted on 2014-04-11
3
357 Views
Last Modified: 2014-05-02
Experts,

What is the best practice to determine who made permission changes to an AD object? I know the account and have a general time frame of when the chance was made.

Thank you very much!
0
Comment
Question by:grindsmygeaqrs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39994530
Hi,

Please see the below link for best practice to determine who made permission changes to an AD object.
http://blog.pluralsight.com/windows-server-2008-auditing-active-directory
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39995016
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39995765
Refer below link to enable auditing.

AD DS Auditing Step-by-Step Guide:
http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

HOW TO: Audit Active Directory Objects in Windows Server 2003
http://support.microsoft.com/kb/814595

Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
 
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
 
Quest: http://www.quest.com/changeauditor-for-active-directory/
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question