UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / IT Audit / Active Directory

Event ID 566

Ronnie — Thu, 26 Jan 2012 17:26:36 GMT

I'm getting event ID 566 success after moving a user account into a security group. Windows 2003. Can anyone advise why I am getting this please? I am unaware of any other changes being made.

AD Upgrade from 2003 to 2008 R2

ochoksy — Sun, 18 Sep 2011 09:02:09 GMT

Can someone provide points to be check as an IT auditor involved in AD upgrade to 2008 R2?

SIEM Vendor Matrix

sgrinker — Thu, 26 Aug 2010 14:42:40 GMT

Hello all

This post is not inteded to only focus on AD Audits, but I didn't see a forum for more generalized IT Audits. Does anyone have any suggestions a good comprehensive source comparing features of various SIEM vendors/products? Just looking to avoid recreating the wheel, if there is already a good source of information out there. Features like... agents - required, optional, or do not exist... sources - what sources can the system collect information from?... native auditing - does the system only use native Microsoft auditing, or does the agent add functionality? scalability, archiving?, throughput (EPS), and possibly even cost/licensing.

Vendors/Products that come to mind (in no particular order):

Microsoft - Audit Collection Services (ACS/SCOM)

Quest - Change Auditor

Quest - InTrust

Prism Microsystems - Event Tracker

Tripwire - LogCenter

Tripwire - Enterprise

ArcSight - ESM

Splunk - Enterprise

Any information or even opinions on various products would be very much appreciated! I realize that not all of these products technically fall into a "SIEM" solution, but most can acomplish similar goals to different scales.

Thanks for any feedback!

Steve

Detecting Concurrent Logins

darknight007 — Thu, 02 Jun 2011 03:26:55 GMT

I want to detect concurrent user logins within the domain. Audit log policy is implemented and workstation logs are saved on the AD. I examined the audit logs and Event ID 528 and 672 looks promising. However, I am not sure how can I detect concurrent logins through any of these events. Any help in this regard will be greatly appreciated.

AD accounts

tommymilos — Fri, 13 May 2011 13:50:09 GMT

What is the difference between disableing and expiring an active directory user account when an employee is terminated? Our auditor says we have to disable it.

is it possible for a deleted domain account to log into a domain workstation?

pnova — Wed, 30 Mar 2011 13:53:42 GMT

I use to monitor the event logs of the directive board of the company every two months, yersterday i came across with an account of an user that even past away, apart from not working in the company any loger... and the account registered a successful network logon into another computer... any clues?

Map IP address to domain credential supplied

ddrumm — Thu, 24 Feb 2011 16:16:45 GMT

I am trying to figure out the best tool to extract domain logins from our domain controllers, such that I can create a network map that shows every credential used by any given IP address in our network. What would be the best tool to accomplish this task?

Expired accouts

yuanqian — Thu, 17 Feb 2011 11:01:26 GMT

In AD users and computers, when a user account was disabled, a red x is shown on the account. But how to identify an expired account or to know it's actually expired? When right click on the account supposed to be expired, the Disable Account option is available. Does that mean that an account can be expired but not disabled? Thanks in advance for all the helps.

ADCS audit

yuanqian — Thu, 10 Feb 2011 15:03:39 GMT

Has anyone done a AD certificate services audit or review? I would like to have some insights and suggestions. Thanks.

How to create "restricted access" in AD

yuanqian — Mon, 07 Feb 2011 09:40:19 GMT

AD authenticates all users and groups reside in all domains in the forest. Is there a feature in AD to disallow a particular group or user from accessing another domain? Or should this be done using network features?

Logging computer moves between OU's

des2009 — Thu, 13 Aug 2009 15:31:38 GMT

What auditing events or other dependencies must be enabled to record these issues:

1. when a computer account is moved between OU's?

2. when GPO's are applied or removed from computer accounts

AZMAN (Authorization Manager) Events

pstamati — Mon, 20 Jul 2009 14:26:28 GMT

Hi,

I'd loke to know how to implement Azman Audit. I recently enable the audit in Authorization manager, but I didn't receive any event in the security Log.

I also check that "Directory Service Access" is enabled in AD as Microsoft recommends, but nothing happens.

Any Idea?

Thanks.

Restrict user logins to 1 simultaneous/concurrent login

oliverc — Sun, 22 Aug 2010 01:39:18 GMT

I am trying to figure out how to restrict user logins to 1 concurrent session in our environment. So far, no luck from technet posts to do it natively - turning a switch, GPO. Saw reference to limitlogin (doesn't seem to work in 2008R2 environment) and 3rd party tool UserLock. Trying my luck in this post for any recommendation/advice.

Cheers,
Oliver

Auditing for account or group creation priviledge

SGupta — Mon, 28 Jun 2010 09:31:57 GMT

How can a user or group access privilege escalation for account or group
creation can be audited and reported with the Windows 2003 active directory.

Even with all auditing enabled It only shows event id 566 as the only
significant event with little info as below. It doesn't display the user or
group being granted acccess for and/or access to

Accesses: WRITE_DAC

Properties:
WRITE_DAC

Also, in the Webnar "Top 10 Active Directory Changes to Monitor in the Security Log" it is mentioned in the slide for event 565 while it actual is event 566 as shown in the example as well.

Thanks
Sunil Gupta

Auditing Password Length

jlashnits — Thu, 01 Jul 2010 10:22:27 GMT

We require that Windows/Active Directory passwords for certain sensitive accounts be a minimum length of 15 characters.

I've noticed that L0phtcrack is able to very rapidly detect when an account's password is greater than 14 characters. Are there any other tools that can do that quickly and, preferably, be automated to scan through entire forests? Any that can report actual length?

Privileged access

kkscfb — Tue, 16 Mar 2010 11:18:07 GMT

What logged events could be used to indicate that a new Active Directory group has been added that has Domain Admin equivalent access? In theory, a group could be added that's called "Inquiry" and is given Full Control to everything in the domain - is there a logged event or series of logged events that could identify this activity? Certainly the naming convention is not useful in this example...

Audit Windows 2008 File Shares

dvdkea — Sat, 27 Feb 2010 18:55:57 GMT

I have a 3 node Windows 2008 cluster that has most of our file shares. Someone is making changes to share\folder\file permissions that is causeing me a lot of problems. I am trying to figure out the best way to audit who is making the changes.

I have SCOM 2007 R2 in my environment, so I can also utilize that to report on who is making changes.

Please help!!!

Event ID for modified GPOs

hinek — Mon, 22 Feb 2010 04:16:19 GMT

I have to know, who (usersid or loginname) changed a specified GPO for a specified OU in the Active Directory. Given our audit settings include this, what would be the right Event ID to look for?

Difference between Admin group and domain admin group in AD

duketter — Tue, 29 Dec 2009 12:26:33 GMT

Can anyone describe the difference between the AD groups admin and domain admin? Can the AD admin group do just as much, security wise, as the domain admin group?