Hi Matt,
Natively it's difficult to track all changes to AD. If you do this through the event log, then you need a mechanism to regularly harvest the event logs, such as Microsoft Audit Collection System (ACS). Otherwise, as you've noted, the logs will overwrite and you will lose historical information. Even with event collection in place, you're still at the mercy of what changes and what change information you can actually get from the event log. By increasing your audit policy you can ensure more change details are captured in the event log, but you're also producing a lot of additional information in the event logs that you might not need, and you may need to worry about server overhead, logs wrapping more often, etc. Ultimately you likely need to know not just that an object was modified but what specifically was changed, before/after values, etc. - not all of which is easy to gleam from event logs. The two main 3rd party products that solve this challenge are NetPro ChangeAuditor and Quest InTrust for Active Directory. Thanks, Shawn ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mattingly, Garrett Sent: Friday, January 05, 2007 11:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Auditing and Change Control Hi All, I was asked if there was a way to find out all changes performed in AD by a particular user account. The personal was wondering if there is a AD attribute to query on to do this. Natively I believe that event log auditing is about the only way you can track this information natively which is almost useless because the security log overwrites after a day or so. As far as I know in AD you have a creation and modified date on objects in AD but there is no "created by" or "modified by" attribute that I am aware of. I thought maybe object owner might be and attribute but I did not see this listed in ADSIEdit. This is basically a "How can we find out what this guy is doing or did?" problem. Questions: Is this even possible with native tools? Are there recommended 3rd party tools that could do this? I've heard of something call ECORA Auditor Pro, anybody use this? Thanks, Garrett
