EXCHANGE 2010

HOW CAN I CHECK EXCHANGE LOGS. there is somebody modifying one group
pramod1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pramod1Author Commented:
ia m looking  for a source from where one AD group is getting updated.
0
pramod1Author Commented:
which source in event logs should I check
0
Will SzymkowskiSenior Solution ArchitectCommented:
The logs will not show anything unless you have Administrator Logging enabled. See the below TechNet.
https://technet.microsoft.com/en-us/library/dd298041(v=exchg.141).aspx

Will.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AmitIT ArchitectCommented:
You need to review security logs to find the changes. For that you need to enable Success logging. Read this
http://exchangepedia.com/2010/11/auditing-distribution-group-membership-changes.html
0
pramod1Author Commented:
it is enabled , but where do I check who is modifying the AD group
0
Scott CSenior Systems EnginerCommented:
Try searching for this....5136: A directory service object was modified

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136


This event is not logged for creation, deletion, undeletion or moves of AD objects. See event IDs 5137, 5138, 5139, 5141.
0
pramod1Author Commented:
should I check in exchange or on AD SERVER
0
Scott CSenior Systems EnginerCommented:
On the DC in the Security Logs.

The changes are being made in AD and would be recorded on the DC.
0
AmitIT ArchitectCommented:
Changes will be logged on your DC's and DC logs replaced very fast. You need a tool to capture these logs and archive them. Tool like Change auditor or Qradar can be used to capture and used for review later.  Logs are the key.
0
pramod1Author Commented:
in event viewer under security logs
0
pramod1Author Commented:
where can I find the source which is modifying the object
0
pramod1Author Commented:
it can be host name of server
0
pramod1Author Commented:
can I look in exchange server
0
Will SzymkowskiSenior Solution ArchitectCommented:
If you do not have Auditing Enabled you will not see anything in the security logs. Auditing is NOT enabled by default.

After you enable auditing, if it isn't already enabled, you will not see the changes before it was enabled.


Will.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Are you looking for a specific Group modifications? Use the HowTo i have created in order to enable Directory Service Auditing.

http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/

Once that is enabled you can use Active Direcotry Auditor by Lepide Software.
http://www.lepide.com/lepideauditor/active-directory.html

You can also use Exchange Auditor as well by Lepide Software
http://www.lepide.com/lepideauditor/exchange.html

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott CSenior Systems EnginerCommented:
Will is 100% correct.  If you have just enabled Auditing, you will have to wait until the group is modified again, THEN you will look in the Security logs on a domain controller, NOT the Exchange Server.  

This is not an Exchange issue, it is an AD issue.
0
pramod1Author Commented:
sorry but under which event viwer- logs should I check
0
AmitIT ArchitectCommented:
If you have Windows 2008, you can look for also advance audit policy. Which can give you lot more details.
0
pramod1Author Commented:
I have been told to check set-admin on exchange , run some script
0
Scott CSenior Systems EnginerCommented:
Security Logs
0
Will SzymkowskiSenior Solution ArchitectCommented:
Follow my HowTo and it will show you were to look. Advanced Auditing can be enabled but it is not required. Directory Services Auditing is all that is required in this case.

Will.
0
pramod1Author Commented:
what script should I run on exchange
0
pramod1Author Commented:
Set-AdminAuditLogConfig  ON AD GROUP?
0
pramod1Author Commented:
one of our AD group is getting modified , can we use any event id or run script on exchange server

as it has email addrees , it is a security group
0
Scott CSenior Systems EnginerCommented:
@pramod1...are you even reading what we are posting here?
0
pramod1Author Commented:
nothing shows up 5136 error
0
pramod1Author Commented:
can we use REPADMIN /showobjmeta of ad group
0
pramod1Author Commented:
can you take control of my pc
0
Scott CSenior Systems EnginerCommented:
I'm out.
0
pramod1Author Commented:
one DA UNIVERSLA SECURITY GROUP IS CONSTANTLY MODIFIED AND THERE is no 5136 error
0
pramod1Author Commented:
AD UNIVERSAL SECURITY GROUP
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.