EXCHANGE 2010

HOW CAN I CHECK EXCHANGE LOGS. there is somebody modifying one group
pramod1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pramod1Author Commented:
ia m looking  for a source from where one AD group is getting updated.
pramod1Author Commented:
which source in event logs should I check
Will SzymkowskiSenior Solution ArchitectCommented:
The logs will not show anything unless you have Administrator Logging enabled. See the below TechNet.
https://technet.microsoft.com/en-us/library/dd298041(v=exchg.141).aspx

Will.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

AmitIT ArchitectCommented:
You need to review security logs to find the changes. For that you need to enable Success logging. Read this
http://exchangepedia.com/2010/11/auditing-distribution-group-membership-changes.html
pramod1Author Commented:
it is enabled , but where do I check who is modifying the AD group
Scott CSenior EngineerCommented:
Try searching for this....5136: A directory service object was modified

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=5136


This event is not logged for creation, deletion, undeletion or moves of AD objects. See event IDs 5137, 5138, 5139, 5141.
pramod1Author Commented:
should I check in exchange or on AD SERVER
Scott CSenior EngineerCommented:
On the DC in the Security Logs.

The changes are being made in AD and would be recorded on the DC.
AmitIT ArchitectCommented:
Changes will be logged on your DC's and DC logs replaced very fast. You need a tool to capture these logs and archive them. Tool like Change auditor or Qradar can be used to capture and used for review later.  Logs are the key.
pramod1Author Commented:
in event viewer under security logs
pramod1Author Commented:
where can I find the source which is modifying the object
pramod1Author Commented:
it can be host name of server
pramod1Author Commented:
can I look in exchange server
Will SzymkowskiSenior Solution ArchitectCommented:
If you do not have Auditing Enabled you will not see anything in the security logs. Auditing is NOT enabled by default.

After you enable auditing, if it isn't already enabled, you will not see the changes before it was enabled.


Will.
Will SzymkowskiSenior Solution ArchitectCommented:
Are you looking for a specific Group modifications? Use the HowTo i have created in order to enable Directory Service Auditing.

http://www.wsit.ca/how-tos/active-directory/configure-active-directory-auditing/

Once that is enabled you can use Active Direcotry Auditor by Lepide Software.
http://www.lepide.com/lepideauditor/active-directory.html

You can also use Exchange Auditor as well by Lepide Software
http://www.lepide.com/lepideauditor/exchange.html

Will.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott CSenior EngineerCommented:
Will is 100% correct.  If you have just enabled Auditing, you will have to wait until the group is modified again, THEN you will look in the Security logs on a domain controller, NOT the Exchange Server.  

This is not an Exchange issue, it is an AD issue.
pramod1Author Commented:
sorry but under which event viwer- logs should I check
AmitIT ArchitectCommented:
If you have Windows 2008, you can look for also advance audit policy. Which can give you lot more details.
pramod1Author Commented:
I have been told to check set-admin on exchange , run some script
Scott CSenior EngineerCommented:
Security Logs
Will SzymkowskiSenior Solution ArchitectCommented:
Follow my HowTo and it will show you were to look. Advanced Auditing can be enabled but it is not required. Directory Services Auditing is all that is required in this case.

Will.
pramod1Author Commented:
what script should I run on exchange
pramod1Author Commented:
Set-AdminAuditLogConfig  ON AD GROUP?
pramod1Author Commented:
one of our AD group is getting modified , can we use any event id or run script on exchange server

as it has email addrees , it is a security group
Scott CSenior EngineerCommented:
@pramod1...are you even reading what we are posting here?
pramod1Author Commented:
nothing shows up 5136 error
pramod1Author Commented:
can we use REPADMIN /showobjmeta of ad group
pramod1Author Commented:
can you take control of my pc
Scott CSenior EngineerCommented:
I'm out.
pramod1Author Commented:
one DA UNIVERSLA SECURITY GROUP IS CONSTANTLY MODIFIED AND THERE is no 5136 error
pramod1Author Commented:
AD UNIVERSAL SECURITY GROUP
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.