Re: [ActiveDir] AD Auditing and Change Control

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

Last I checked the public info on ACS is/has/will be in beta forever and won't be in a product until the System Center line of products hits the streets (they are still in beta). These days ACS isn't a solution for anyone other than the folks that got the beta bits eons ago. I'm still getting my head around the Vista audit logs.... but liking what I see so far (lots more granular info). Shawn Barker wrote: Hi Matt,   Natively it’s difficult to track all changes to AD.  If you do this through the event log, then you need a mechanism to regularly harvest the event logs, such as Microsoft Audit Collection System (ACS).  Otherwise, as you’ve noted, the logs will overwrite and you will lose historical information.  Even with event collection in place, you’re still at the mercy of what changes and what change information you can actually get from the event log.  By increasing your audit policy you can ensure more change details are captured in the event log, but you’re also producing a lot of additional information in the event logs that you might not need, and you may need to worry about server overhead, logs wrapping more often, etc.  Ultimately you likely need to know not just that an object was modified but what specifically was changed, before/after values, etc. – not all of which is easy to gleam from event logs.   The two main 3rd party products that solve this challenge are NetPro ChangeAuditor and Quest InTrust for Active Directory.   Thanks, Shawn   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mattingly, Garrett Sent: Friday, January 05, 2007 11:18 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Auditing and Change Control   Hi All, I was asked if there was a way to find out all changes performed in AD by a particular user account.  The personal was wondering if there is a AD attribute to query on to do this.  Natively I believe that event log auditing is about the only way you can track this information natively which is almost useless because the security log overwrites after a day or so. As far as I know in AD you have a creation and modified date on objects in AD but there is no “created by” or “modified by” attribute that I am aware of.  I thought maybe object owner might be and attribute but I did not see this listed in ADSIEdit.  This is basically a “How can we find out what this guy is doing or did?” problem. Questions: Is this even possible with native tools?  Are there recommended 3rd party tools that could do this?  I’ve heard of something call ECORA Auditor Pro, anybody use this? Thanks, Garrett -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx