|
|
Forum Newbie
      
Group: Forum Members
Last Login: 10/24/2013 11:50:57 AM
Posts: 2,
Visits: 0
|
|
Hi all,
We have a list of suspicious users and we want to monitor these users within the AD servers and workstations.
You want to monitor the actions taken by these these users such as:
- Changing audit policy
- Access to objects
- Installation / uninstall service
- Access / modification of files
Regards,
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
Event ID 4719 will tell you when a system audit policy was changed. Event ID 4663 will tell you if permissions were actually exercised on an object. Object access monitoring has to be turned on. Event ID 4697 will identify who (often System) installed the service.
|
|
|
|