|
|
|
Forum Newbie
Group: Forum Members
Last Login: 3/16/2010 11:12:58 AM
Posts: 1,
Visits: 0
|
|
| What logged events could be used to indicate that a new Active Directory group has been added that has Domain Admin equivalent access? In theory, a group could be added that's called "Inquiry" and is given Full Control to everything in the domain - is there a logged event or series of logged events that could identify this activity? Certainly the naming convention is not useful in this example...
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 324,
Visits: 0
|
|
| It's a great question and the best way and really only way to do is to monitor for the exercize of the "Change Permission" permission (i.e. WRITE_DAC) on the root of the domain and OUs. Explained in my free recorded webinar: Top 10 Active Directory Changes to Monitor in the Security Log
|
|
|
|