InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comWed, 08 Sep 2010 20:35:03 GMT20http://forum.ultimatewindowssecurity.com/Topic335-8-1.aspxIt's a great question and the best way and really only way to do is to monitor for the exercize of the "Change Permission" permission (i.e. WRITE_DAC) on the root of the domain and OUs. Explained in my free recorded webinar: <U><FONT color=#800080>Top 10 Active Directory Changes to Monitor in the Security Log </FONT></U>Tue, 16 Mar 2010 20:58:10 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic335-8-1.aspxWhat logged events could be used to indicate that a new Active Directory group has been added that has Domain Admin equivalent access? In theory, a group could be added that's called "Inquiry" and is given Full Control to everything in the domain - is there a logged event or series of logged events that could identify this activity? Certainly the naming convention is not useful in this example...Tue, 16 Mar 2010 11:18:07 GMTkkscfb