RE: [ActiveDir] Object Auditing

[Myrick, Todd \(NIH/CC/DCRI\) [E]]

You best bet to learn how to audit changes is to standup a Virtual AD turn on Directory auditing, and Make the changes you would like to track to see what event ID and messages are generated.  Then you can use Microsofts Eventcombmt tool to search your DC’s for the information.   We use the Quest Intrust product here for Monitoring and Auditing… At the parent level they used Netpro for AD monitoring and Intrust for auditing, I think they want to switch to using the NETPRO product for auditing though.  Both companies offer very good solutions.  It is pretty hard to make a bad decision here.  There are some advantages with regards to cross platform support with Intrust, but that has nothing to do with AD.  The shop I am in now uses several platforms, so that is what drove our decision.    Todd   From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 3:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Object Auditing   I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD.   you may also want to disable drag & drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well): o        use ADSIEDIT, LDP or equivalent tool o        locate "flags" attribute of DisplaySpecifiers container in config. NC ·         set bit 0 to 1 o        drag and drop now disabled /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Donnerstag, 13. Juli 2006 20:25 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Object Auditing Is it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset.   I have Account Management and Object Access auditing on, but I don’t see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible?   Thanks,   Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573   ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.