UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / IT Audit / Active Directory

Auditing for account or group creation priviledge

SGupta — Mon, 28 Jun 2010 09:31:57 GMT

How can a user or group access privilege escalation for account or group
creation can be audited and reported with the Windows 2003 active directory.

Even with all auditing enabled It only shows event id 566 as the only
significant event with little info as below. It doesn't display the user or
group being granted acccess for and/or access to

Accesses: WRITE_DAC

Properties:
WRITE_DAC

Also, in the Webnar "Top 10 Active Directory Changes to Monitor in the Security Log" it is mentioned in the slide for event 565 while it actual is event 566 as shown in the example as well.

Thanks
Sunil Gupta

Auditing Password Length

jlashnits — Thu, 01 Jul 2010 10:22:27 GMT

We require that Windows/Active Directory passwords for certain sensitive accounts be a minimum length of 15 characters.

I've noticed that L0phtcrack is able to very rapidly detect when an account's password is greater than 14 characters. Are there any other tools that can do that quickly and, preferably, be automated to scan through entire forests? Any that can report actual length?

Microsoft Security Update Testing

renji — Thu, 15 Apr 2010 18:30:34 GMT

Hello,

For Patch Tuesday :w00t: where Testing is required,

I would like to know how do you go about testing them ? :doze:

What do you recommend for our test labs ? :unsure:

How to make a complete testing environment ? :cool:

Renji George

Privileged access

kkscfb — Tue, 16 Mar 2010 11:18:07 GMT

What logged events could be used to indicate that a new Active Directory group has been added that has Domain Admin equivalent access? In theory, a group could be added that's called "Inquiry" and is given Full Control to everything in the domain - is there a logged event or series of logged events that could identify this activity? Certainly the naming convention is not useful in this example...

Audit Windows 2008 File Shares

dvdkea — Sat, 27 Feb 2010 18:55:57 GMT

I have a 3 node Windows 2008 cluster that has most of our file shares. Someone is making changes to share\folder\file permissions that is causeing me a lot of problems. I am trying to figure out the best way to audit who is making the changes.

I have SCOM 2007 R2 in my environment, so I can also utilize that to report on who is making changes.

Please help!!!

Event ID for modified GPOs

hinek — Mon, 22 Feb 2010 04:16:19 GMT

I have to know, who (usersid or loginname) changed a specified GPO for a specified OU in the Active Directory. Given our audit settings include this, what would be the right Event ID to look for?

Difference between Admin group and domain admin group in AD

duketter — Tue, 29 Dec 2009 12:26:33 GMT

Can anyone describe the difference between the AD groups admin and domain admin? Can the AD admin group do just as much, security wise, as the domain admin group?

AZMAN (Authorization Manager) Events

pstamati — Mon, 20 Jul 2009 14:26:28 GMT

Hi,

I'd loke to know how to implement Azman Audit. I recently enable the audit in Authorization manager, but I didn't receive any event in the security Log.

I also check that "Directory Service Access" is enabled in AD as Microsoft recommends, but nothing happens.

Any Idea?

Thanks.

Logging computer moves between OU's

des2009 — Thu, 13 Aug 2009 15:31:38 GMT

What auditing events or other dependencies must be enabled to record these issues:

1. when a computer account is moved between OU's?

2. when GPO's are applied or removed from computer accounts