Content Search

Custom Search

IP Address Lookup

Sunday, February 17, 2008

How to audit Active Directory account management in Windows 2003?

The following was taken from one of conversation on Microsoft Managed Newsgroup.

By default, Windows Server 2003 system ships the following Audit policies:
> Audit account logon event
> Audit account management
> Audit directory service access
> Audit logon events
> Audit object access
> Audit policy change
> Audit privilege use
> Audit process tracking
> Audit system events

To audit add/deleting events, you may open Default Domain Controller Policy, locate Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, enable "Audit account management" with Success.

After that, when a new user is created on a domain controller, the following event will be logged:

Event ID: 624
Type: Success Audit
Description: User Account Created:
New Account Name: %1 New Domain: %2
New Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges %7

When an existing user is deleted on the domain controller, the following event will be logged:
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Target Account Name: %1 Target Domain: %2
Target Account ID: %3 Caller User Name: %4
Caller Domain: %5 Caller Logon ID: %6
Privileges %7

We can monitor event 633 and 632 which records security enabled global group membership removed/added.

E.g. you, domain\administrator1 have removed/added user1 from/to group1.
And the following events will be recorded.

Event ID: 633 (logged when you remove a user from a security group)
Type: Success Audit
Description: Security Enabled Global Group Member Removed:
Member Name: CN=user1,CN=Users,DC=domain,DC=com.
Member ID: domain\user1
Target Account Name: domain\administrator
Target Domain: Domain
Target Account ID: domain\group1
Caller User Name: administrator1
Caller Domain: domain

Event ID: 632 (logged when you add a user from a security group)
Type: Success Audit
Description: Security Enabled Global Group Member Added:
Member Name: CN=user1,CN=Users,DC=domain,DC=com.
Member ID: domain\user1
Target Account Name: domain\administrator
Target Domain: Domain
Target Account ID: domain\group1
Caller User Name: administrator1
Caller Domain: domain

We can audit who at what time, modifies which attribute of the user. But we cannot see what's the
Workstation or what's the application. To audit the property change issues, follow the below steps:

1. Enable the Auditing for Directory Services Access for Success in the Default Domain Controller Policy.
2. Go to the Security of the User account you want to audit and Enabled the Auditing for WRITE ATTRIBUTES for Everyone.

We will get the 566 event when any one will change any Attribute like

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 07/06/2007
Time: 11:14:56
User: ALPINESKIHOUSE\t1
Computer: ASH-DC1
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: user
Object Name: CN=t6,CN=Users,DC=alpineskihouse,DC=com
Handle ID: -
Primary User Name: ASH-DC1$
Primary Domain: ALPINESKIHOUSE
Primary Logon ID: (0x0,0x3E7)
Client User Name: t1
Client Domain: ALPINESKIHOUSE
Client Logon ID: (0x0,0x67A9AEE)
Accesses: Write Property

Properties:
Write Property
Public Information
Department
user

Additional Info:
Additional Info2:
Access Mask: 0x20

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

3. Now to check on which DC the change was initiated you can take the
Repadmin report as Follow
Repadmin /showmeta "DN OF THE USER" and you can see the Originating DC and the timestamp.

2 comments:

stealthbits said...

Hello friends,

This audit program will help you follow the same methodology Randy Franklin Smith uses to perform a detailed audit of an active directory network. Thanks a lot.....

Windows Auditing

michel jon said...

Very Interesting article, I found really good information about how audit active directory account and I also read familiar information from http://www.lepide.com/lepideauditor/active-directory.html which provides auditing process and collect audit data on real time basis and get instant alerts for critical changes. This tool provides facilitate to audit of particular logon events, lists all logon related changes .

Quote of the Day