Objects are "disappearing" from AD without... Expand / Collapse
Author
Message
Posted 6/9/2011 7:24:21 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/9/2011 6:34:57 PM
Posts: 6, Visits: 1
Hello,

We've been having some Windows 7 clients "disappearing" out of AD without generating event id 4743.  My first question:  Are there any auditing configurations that need to be performed in order to have event id 4743 generated when a computer object is deleted out of AD?

Thanks,

Tom 

Post #723
Posted 6/10/2011 12:57:42 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
What is your current audit policy?  go to a domain controller and run

auditpol /get /category:*

Post #724
Posted 7/7/2011 8:49:02 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/9/2011 6:34:57 PM
Posts: 6, Visits: 1
Hi Randy,  not sure how well the copy and paste came over, but here's the results.

All domain controllers except one had the following audit policy:

 

 

System audit policy

Category/Subcategory                      Setting

System

  Security System Extension               Success and Failure

  System Integrity                            Success and Failure

  IPsec Driver                                   No Auditing

  Other System Events                       Success and Failure

  Security State Change                     Success and Failure

Logon/Logoff

  Logon                                    Success and Failure

  Logoff                                    Success and Failure

  Account Lockout                      Success and Failure

  IPsec Main Mode                         No Auditing

  IPsec Quick Mode                        No Auditing

  IPsec Extended Mode                   No Auditing

  Special Logon                              Success and Failure

  Other Logon/Logoff Events             Success and Failure

  Network Policy Server                    Success and Failure

Object Access

  File System                                  Success and Failure

  Registry                                       Success and Failure

  Kernel Object                                Success and Failure

  SAM                                             No Auditing

  Certification Services                        Success and Failure

  Application Generated                     Success and Failure

  Handle Manipulation                         No Auditing

  File Share                                            Success and Failure

  Filtering Platform Packet Drop        No Auditing

  Filtering Platform Connection         No Auditing

  Other Object Access Events            No Auditing

Privilege Use

  Sensitive Privilege Use                      No Auditing

  Non Sensitive Privilege Use             No Auditing

  Other Privilege Use Events              No Auditing

 

Detailed Tracking

  Process Termination                         Success and Failure

  DPAPI Activity                                     No Auditing

  RPC Events                                          Success and Failure

  Process Creation                                Success and Failure

 

Policy Change

  Audit Policy Change                          Success and Failure

  Authentication Policy Change         Success and Failure

  Authorization Policy Change            Success and Failure

  MPSSVC Rule-Level Policy Change No Auditing

  Filtering Platform Policy Change                     No Auditing

  Other Policy Change Events                             Success and Failure

Account Management

  User Account Management            Success and Failure

  Computer Account Management                   Success and Failure

  Security Group Management                          Success and Failure

  Distribution Group Management                    Success and Failure

  Application Group Management                     Success and Failure

  Other Account Management Events              Success and Failure

DS Access

  Directory Service Changes                               Success and Failure

  Directory Service Replication                          No Auditing

  Detailed Directory Service Replication          No Auditing

  Directory Service Access                Success and Failure

Account Logon

  Kerberos Service Ticket Operations              Success and Failure

  Other Account Logon Events                           Success and Failure

  Kerberos Authentication Service                   Success and Failure

  Credential Validation                         Success and Failure

 

 

 

The one other DC had this audit setting, but it’s been correct to match the other DC’s

Category/Subcategory                      Setting

System

  Security System Extension               Success

  System Integrity                        Success

  IPsec Driver                            Success

  Other System Events                     Success

  Security State Change                   Success

Logon/Logoff

  Logon                                   Success and Failure

  Logoff                                  Success and Failure

  Account Lockout                         Success and Failure

  IPsec Main Mode                         Success and Failure

  IPsec Quick Mode                        Success and Failure

  IPsec Extended Mode                     Success and Failure

  Special Logon                           Success and Failure

  Other Logon/Logoff Events               Success and Failure

  Network Policy Server                   Success and Failure

Object Access

  File System                             Success and Failure

  Registry                                Success and Failure

  Kernel Object                           Success and Failure

  SAM                                     Success and Failure

  Certification Services                  Success and Failure

  Application Generated                   Success and Failure

  Handle Manipulation                     Success and Failure

  File Share                              Success and Failure

  Filtering Platform Packet Drop          Success and Failure

  Filtering Platform Connection           Success and Failure

  Other Object Access Events              Success and Failure

  Detailed File Share                     Success and Failure

Privilege Use

  Sensitive Privilege Use                 Failure

  Non Sensitive Privilege Use             Failure

  Other Privilege Use Events              Failure

Detailed Tracking

  Process Termination                     No Auditing

  DPAPI Activity                          No Auditing

  RPC Events                              No Auditing

  Process Creation                        No Auditing

Policy Change

  Audit Policy Change                     Success and Failure

  Authentication Policy Change            Success and Failure

  Authorization Policy Change             Success and Failure

  MPSSVC Rule-Level Policy Change         Success and Failure

  Filtering Platform Policy Change        Success and Failure

  Other Policy Change Events              Success and Failure

Account Management

  User Account Management                 Success and Failure

  Computer Account Management             Success and Failure

  Security Group Management               Success and Failure

  Distribution Group Management           Success and Failure

  Application Group Management            Success and Failure

  Other Account Management Events         Success and Failure

DS Access

  Directory Service Changes               Success and Failure

  Directory Service Replication           Success and Failure

  Detailed Directory Service Replication  Success and Failure

  Directory Service Access                Success and Failure

Account Logon

  Kerberos Service Ticket Operations      Success and Failure

  Other Account Logon Events              Success and Failure

  Kerberos Authentication Service         Success and Failure

  Credential Validation                   Success and Failure

 

 

 

Post #754
Posted 7/8/2011 11:39:30 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0

well no problem indicated there because "Computer Account Management " was enabled on all DCs

is this enabled on all DCs?  "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"

if it is then i'm stumped for the time being

try deleting a computer account and make sure 4743 gets logged

 

Post #764
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 4:59am