2000 Ad security logging 1

[boell01]

How do you enable logging so when a password is changed or anything is done to a user account in active directory it is logged? We've been having some user accounts disappear and want to enable some logging to find out who's doing it.

 

[Castor66]

On the OU you want to audit, right click and select properties. Then SECURITY, ADVANCED and AUDIT. From there you can select the relevant level. I think account deletion is on by default.

Also, check who has access to do this. Maybe you have an account that has been compromised by a user who is doing this. IF you suspect this then auditting won't really help you as the account may have a generic name. Maybe, lock down the the permissions on the OU first so that they can't get at it. Change the passwords of the accounts with access and seal them away for future reference. Create a new set of user admins or admin accounts and assign them out to people who need to do user account management.

 

[boell01]

When you setup the auditing then does that information just show up in the event viewer?

 

[Castor66]

Yup - in the Security Log. Hence, you will need to do a bit of searching to find the entry you want. Remember not to log too much as you will get overwhelmed and give up! Also, make sure your system is setup to overwrite the log and not shutdown the system when full! Make it large enough to cover the period that you need to monitor.

If you log and never check the logs, what's the point of logging? <- first rule of monitoring!