Re: Domain membership change
Where there is a will... :) -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 11:14 PM, Brian Desmond br...@briandesmond.comwrote: *I’ve seen it happen when you’ve got people who don’t belong in the groups figure out a way to temporarily add themselves. I’ve held a couple folks over a barbeque pit for it. * * * *Thanks,* *Brian Desmond* *br...@briandesmond.com* * * *c – 312.731.3132* * * *From:* Andrew S. Baker [mailto:asbz...@gmail.com] *Sent:* Monday, May 24, 2010 8:30 PM *To:* NT System Admin Issues *Subject:* Re: Domain membership change *Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval.* True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
ScriptLogic Active Administrator will do this, among many other AD monitoring/backup thingies. Not free, but not too expensive either if you need to monitor such things. It's saved our hides a number of times. Don Guyer Systems Engineer - Information Services Prudential, Fox Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 don.gu...@prufoxroach.com mailto:don.gu...@prufoxroach.com From: David Lum [mailto:david@nwea.org] Sent: Monday, May 24, 2010 5:03 PM To: NT System Admin Issues Subject: Domain membership change If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
Agree with Brian, that is one of the primary things you are trying to protect against IMNSHO. The quick interloper who is bypassing proper change controls and/or trying to cover their tracks. Also why it is a good idea to alert on 517 (or 1102 in newer OSs) From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Monday, May 24, 2010 8:15 PM To: NT System Admin Issues Subject: RE: Domain membership change I've seen it happen when you've got people who don't belong in the groups figure out a way to temporarily add themselves. I've held a couple folks over a barbeque pit for it. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, May 24, 2010 8:30 PM To: NT System Admin Issues Subject: Re: Domain membership change Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
I know someone who setup a monitor to dump group membership changes to a SQL database. They had a web front end for preset queries on specific groups. Doing this they were able to find numerous instances of just such a thing occurring which enabled them to identify the source of intermittent changes in their environment. Steven Peck On Tue, May 25, 2010 at 1:18 PM, Free, Bob r...@pge.com wrote: Agree with Brian, that is one of the primary things you are trying to protect against IMNSHO. The quick interloper who is bypassing proper change controls and/or trying to cover their tracks. Also why it is a good idea to alert on 517 (or 1102 in newer OSs) From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Monday, May 24, 2010 8:15 PM To: NT System Admin Issues Subject: RE: Domain membership change I’ve seen it happen when you’ve got people who don’t belong in the groups figure out a way to temporarily add themselves. I’ve held a couple folks over a barbeque pit for it. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, May 24, 2010 8:30 PM To: NT System Admin Issues Subject: Re: Domain membership change Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
There's not a specific event for Domain Admins group membership. You'll have to look for the 632 security event and filter on the description containing substring Domain Admins. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Monday, May 24, 2010 16:03 To: NT System Admin Issues Subject: Domain membership change If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
Pre windows 2008. For windows 2008 and after, the event id changes. See http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=632 And related entries. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, May 24, 2010 5:38 PM To: NT System Admin Issues Subject: RE: Domain membership change There's not a specific event for Domain Admins group membership. You'll have to look for the 632 security event and filter on the description containing substring Domain Admins. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Monday, May 24, 2010 16:03 To: NT System Admin Issues Subject: Domain membership change If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
Nice. But, I've never touched Win2k8, and $WORK hasn't/won't spend money on monitoring tools. OTOH, I do use the IntersectAlliance client, and cast everything to syslog, so could do something with that... Kurt On Mon, May 24, 2010 at 17:22, Brian Desmond br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
*Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. * True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.comwrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
You might be better off configuring auditing policies, running ntsyslog and reporting with an email trigger for the event ID. Just my .02 - Mark On May 24, 2010, at 6:30 PM, Andrew S. Baker asbz...@gmail.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
Good catch. Different event ID (4728); still have to parse the event parameters for the group name, though. -Malcolm -Original Message- From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, May 24, 2010 16:45 To: NT System Admin Issues Subject: RE: Domain membership change Pre windows 2008. For windows 2008 and after, the event id changes. See http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx? eventid=632 And related entries. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Malcolm Reitz [mailto:malcolm.re...@live.com] Sent: Monday, May 24, 2010 5:38 PM To: NT System Admin Issues Subject: RE: Domain membership change There's not a specific event for Domain Admins group membership. You'll have to look for the 632 security event and filter on the description containing substring Domain Admins. -Malcolm From: David Lum [mailto:david@nwea.org] Sent: Monday, May 24, 2010 16:03 To: NT System Admin Issues Subject: Domain membership change If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Domain membership change
I've seen it happen when you've got people who don't belong in the groups figure out a way to temporarily add themselves. I've held a couple folks over a barbeque pit for it. Thanks, Brian Desmond br...@briandesmond.com c - 312.731.3132 From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: Monday, May 24, 2010 8:30 PM To: NT System Admin Issues Subject: Re: Domain membership change Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com c - 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.commailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.commailto:hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.orgmailto:david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.govmailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.orgmailto:david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Domain membership change
Depends on how crafty the attac^H^H^H^H^H - the uh, lazy sysadmin is... Kurt On Mon, May 24, 2010 at 18:30, Andrew S. Baker asbz...@gmail.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. True, but how much of a practical problem is that really? -ASB: http://XeeSM.com/AndrewBaker On Mon, May 24, 2010 at 8:22 PM, Brian Desmond br...@briandesmond.com wrote: Only issue with that is that you could miss the change if the add and remove happens inside your batch job interval. You're better off using the event IDs posted earlier. If you have MOM/SCOM it's really easy to subscribe to these. Otherwise WMI (and I think in 2008+ graphically) you can create event subscriptions that fire on stuff like this and send emails. Thanks, Brian Desmond br...@briandesmond.com c – 312.731.3132 -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, May 24, 2010 6:22 PM To: NT System Admin Issues Subject: Re: Domain membership change Adding a little blat.exe (FOSS utility for email) and fc.exe (native command for comparing files) to that mix would do just what you want. Kurt On Mon, May 24, 2010 at 14:33, Harry Singh hbo...@gmail.com wrote: Periodically i run the following which dumps the members of DA. C:\Tools\AdFindadfind -b CN=Domain Admins,CN=Users,DC=domain,DC=com -asq me mber -f * displayName samaccountname -sl -nodn -csv I'm sure someone who is a lot better at scripting than me, can configure the above to dump and possibly email the file/contents automagically. But the above suffices in my environment for now. On Mon, May 24, 2010 at 5:23 PM, David Lum david@nwea.org wrote: It would be obvious if I looked every day. I don't want to look every day for the 1-2x year it might happen. Dave -Original Message- From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] Sent: Monday, May 24, 2010 2:19 PM To: NT System Admin Issues Subject: Re: Domain membership change Do you have that many Domain Admins that it wouldn't be obvious? Or is this a case of someone elevating their permissions temporarily? David Lum david@nwea.org 5/24/2010 2:03 PM If I wanted to get notified anytime a user is added to say, Domain Admins, what's the best way to go about this? Is there an EventID I can look for? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~