I'm definitely not going to say that tools should be the savior for people who make mistakes, but they're darned nice and can save a lot of time and/or money when they can be appropriately utilized.
Again, this is after the fact and requires you to bring things back so there is going to be a period where someone somewhere isn't doing the job they are being paid to do and depending on the person and the company the consequences could be dire.Much better to disallow the mistake in the first place.Would it surprise you to know that I ran a Fortune 5 Forest (and prior to that an NT4 multimaster environment) with just under 400 DCs globally and some 250,000 users and who knows how many hundreds of thousands of machines and 100k+ groups with three domain admins across the entire thing all located within 10 feet of each other and not once, not a single time, not ever, did we have to restore a single object in that time. We had no fancy expensive auditing tools, we had no fancy expensive recovery tools, we had no fancy expensive management tools, we had no fancy expensive monitoring tools yet it was without a single exception the best running AD I have seen to date and at this point I have seen quite a few ADs both through work (I am a consultant now) and the untold number of emails I have received from folks concerning my tools or just asking questions.This is all about the quality of the people you let put a gun to the head of your Active Directory environment.I would much rather listen to people bitch and moan that they can't do their jobs than clean up after them when they screw something up. In the end, it is much less work and much easier to keep SLAs.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt HargravesSent: Saturday, July 15, 2006 3:12 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Object AuditingThere are tools out there by Quest software (www.quest.com) that will allow both auditing (InTrust for AD) and recovery of altered or deleted items (Recovery Manager for AD). RMAD is really nice in that you can restore a deleted userID or group and get back all of the properties, including things such as the original SID.
I believe that ITAD also has a monitoring tool that you can run that will let you know if something is changed, though I don't have experience with that aspect of the tool, only the auditing aspect.
On 7/15/06, joe <[EMAIL PROTECTED]> wrote:I have to say I agree quite strongly with this. Auditing is nice and all but it only points at who made mistakes, it doesn't help prevent them (what of the fine admin had deleted the OU instead of moving, auditing sure would have helped there...). If you have an entirely ad hoc fly by the seat of your pants structure you can't do much about it other than try to figure out what you really need and implement something that isn't ad hoc fly by the seat of your pants. But if you have a fixed structure, lock down who can do things. 3-5 DA's tops even for VERY large orgs. 3 actual engineers I found to be quite sufficient and honestly for a majority of the work they didn't even need to be DAs.The "best" most stable deployments I have seen for AD used fixed OU structures and simply added a new copy of the fixed structure for each new site or group or whatever the administrative breakup was done by. This can be scripted and then setting up a new OU structure for a new group/site is a simple script that takes seconds to run and people with high level rights aren't mucking around directly in AD with a GUI that can help them make easy point and click mistakes.joe
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves
Sent: Thursday, July 13, 2006 5:12 PMSubject: Re: [ActiveDir] Object AuditingWell, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes. Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins. I think that in our environment (with a very large number of OUs), I have only had maybe 1 or 2 occasions to ever move an OU, if that.
That being said... mistakes happen and these things are going to occur. Hopefully very, very infrequently.
There are tools out there to monitor AD for changes like this, I guess the question is whether it's worth the money or not. It's possible that you might want to get them just so you can start monitoring and auditing your environment (which many organizations don't do).
On 7/13/06, Myrick, Todd (NIH/CC/DCRI) [E] <[EMAIL PROTECTED] > wrote:You best bet to learn how to audit changes is to standup a Virtual AD turn on Directory auditing, and Make the changes you would like to track to see what event ID and messages are generated. Then you can use Microsofts Eventcombmt tool to search your DC's for the information.
We use the Quest Intrust product here for Monitoring and Auditing… At the parent level they used Netpro for AD monitoring and Intrust for auditing, I think they want to switch to using the NETPRO product for auditing though. Both companies offer very good solutions. It is pretty hard to make a bad decision here. There are some advantages with regards to cross platform support with Intrust, but that has nothing to do with AD. The shop I am in now uses several platforms, so that is what drove our decision.
Todd
From: Grillenmeier, Guido [mailto: [EMAIL PROTECTED]]
Sent: Thursday, July 13, 2006 3:23 PMSubject: RE: [ActiveDir] Object Auditing
I'd have to check out myself if an OU move is possible to audit with the built-in auditing events - I'm pretty sure though it is possbile with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's Intrust for AD.
you may also want to disable drag & drop in your forest, simply by configuring the following (works for Win2003 SP1 - a pre-SP1 fix should be available as well):
o use ADSIEDIT, LDP or equivalent tool
o locate "flags" attribute of DisplaySpecifiers container in config. NC
· set bit 0 to 1
o drag and drop now disabled
/Guido
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS)
Sent: Donnerstag, 13. Juli 2006 20:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Object AuditingIs it possible to audit the creation/deletion and more importantly, the movement of OUs? One of our admins dragged and dropped an entire OU into another OU that had a desktop lockdown GPO linked to it, thereby locking down the PCs of a bunch of important people, and making them very upset.
I have Account Management and Object Access auditing on, but I don't see anything on any of our DCs that show anything about the OU or any of its objects moving. Is there something else I need to enable to audit these types of events? Is it even possible?
Thanks,
Justin Clay
ITS Enterprise Services
Metropolitan Government of Nashville and Davidson County
Howard School Building
Phone: (615) 880-2573
ITS ENTERPRISE SERVICES EMAIL NOTICE
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
