|
Posted by ThijsD on October 24, 2005, 8:16 pm
Please log in for more thread options Hi Steven,
I did what you suggested, but I still have the same problem :(
I verified that all containers have no auditing entries set. (I double
checked) Then I've set just one audit entry on the specific OU and
specified a specific group. It didn't help though, my securitylog keeps
filling up at a speed of 3/4 events each second.
I've then deleted the audit entry to see if the securitylog keeps
filling up and yap, that was the case.
So when I just enable audit "Directory Service Access" in default DC
policy, without any audit entries set, it keeps filling up?!? How is
this possible??
What do you mean with enable auditing of "object access or directory
services"? I thought object access is only related to auditing of local
files/regkeys, not AD or am I wrong? With directory services you mean
directory service access I presume?
Thanks again for your help!
Best regards,
ThijsD
Steven L Umbach wrote:
> Check the other containers such as OUs, computer, user, domain controllers
> to see if any auditing is configured there also which you would also want to
> remove. Another possibility is that your changes of what to audit has not
> replicated to all domain controllers yet. You would want to configure
> auditing only on the pertinent OUs and not on the domain container [unless
> they have access there also] and audit only the specific group of users you
> want to track. Do not audit for everyone, users, domain users, authenticated
> users, etc for what you are trying to accomplish. Authenticates users and
> everyone would also include all computers in the domain. When you enable
> auditing of object access or directory services you will also see what seems
> to be unrelated events recorded. You will also find that the free Event Comb
> from MS will help scan the security logs for events and text strings you are
> searching for. The command line tools dsacls may also be helpful in looking
> for what is being audited per container if you use the /A switch as in "
> dsacls OU=ouname,dc=mydomain,dc=com /A " . Look at the line for audit list:
> which should be the second or third line down in the report. --- Steve
>
> Comb info.
>
>
>>Hello,
>>
>>We have a large group of IT personnel that have full control on some
>>OU's in our Active Directory.
>>Recently someone changed the AD permissions on one of those OU's. In the
>>future we need to be able to track who has changed the permissions.
>>We have one domain and our domain controllers are running Windows Server
>>2003 SP1.
>>After enabling auditing for permission changes on the root of the domain,
>>my securitylog fills up with all sorts of DSA events, e.g. AD & DNS
>>replication, GAL lookups, ... Instead of only the events related to
>>permission changes.
>>
>>This is what I did:
>>I've enabled in the Default Domain Controllers-policy, the "Directory
>>Services Access" policy to true. Then I did a gpupdate /force to reapply
>>the policy.
>>My securitylog immediately start to fill up with DSA events... (100
>>events/minute)
>>When I take a look in -> properties of root domain -> security ->
>>auditing, I see the following:
>>All, Everyone, Special, This object & all other objects.
>>When looking further at the 'special' auditing permission, I see lotsa
>>different checkboxes ticked, so it makes sense that the securitylog is
>>filling up with those events checked.
>>
>>Now the weird thing is that when I remove the default auditing entry
>>(which logs almost everything) and add a new one that only logs "changing
>>permissions", the securitylog still keeps filling up with the same events.
>>Normally it should only log "permission changes" events now, no?
>>How can I configure the auditing so it only logs events related to
>>permission changes on AD objects, more specific OU's? What am I doing
>>wrong?
>>
>>Thanks in advance!
>>Best regards,
>>ThijsD
>>
>>
>
>
>
| 
XML Sitemap