Recently a problem has come up where persons are ending up in groups that they shouldnt be in and they are getting access to priviledged information. This has now occurred twice in the last two weeks.
Someone somewhere is adding to groups with no understanding of the consequences.
Now we currently have approx 22 Domain Admins (no we cant chop it further) and 7 account operators. When asked everyone throws their hands in the air and shouts to the heavens that they didnt do it.
I have enabled Auditing and turned on "User and Group Management" and "Use of User rights" with success and failure. However when checking the security Logs this is not Giving me the information I need.
After a Peruse of NT FAQ (NTFAQ/Security16.html "How do I enable Auditing on the SAM"
I attempted to enable auditing on the SAM and SECURITY keys in HKEY_LOCAL_MACHINE. However the method that is suggested will not work on our servers and it fails with an "Unable to initialise DLL" error as it is trying to Access "C:\WINNT\SYSTEM32\kernel32.dll" which the server has locked up tight.
The following is the method described in NT FAQ.
First ensure auditing is enabled on the system using User Manager - Policies menu - Audit.
Select the "Audit These Events". Choose the objects to audit and click OK.
Next make sure the Scheduler service is running on the machine either via the Services Control Panel applet (Start - Settings - Control Panel - Services) or type "net start" and look for "Scheduler". If it is not running you can start by typing
C:\> net start schedule
At the command prompt (cmd.exe) type
C:\> at <time> /interactive "regedt32.exe"
where <time> is a minute in the future.
This works ok right up to the moment the scheduler attempts to open at which time it fails with the error mentioned above.
I have attempted to try the FAQ method on workstations and it works fine, but it failed on the 4 servers I tried it on. The workstation security logs in fact gave me exactly the information I needed after I had turned on Auditing in the registry.
Now the problem ultimately is this:
I need a Tool that will give me detailed information on Groups and Group movements:
IE: "User John Smith has been added to group ADMINS by Backup Operator Lisa Jones".
I am happy to pay a reasonable amount for such a tool if there is one available. I have Checked NT4RK and NT FAQ with no success.
If anyone can suggest either a good tool or a way to get the NT FAQ method above to actually work I would be very grateful.
Our Domain is Mixed NT4/SP5 and Win2k/SP1
Someone somewhere is adding to groups with no understanding of the consequences.
Now we currently have approx 22 Domain Admins (no we cant chop it further) and 7 account operators. When asked everyone throws their hands in the air and shouts to the heavens that they didnt do it.
I have enabled Auditing and turned on "User and Group Management" and "Use of User rights" with success and failure. However when checking the security Logs this is not Giving me the information I need.
After a Peruse of NT FAQ (NTFAQ/Security16.html "How do I enable Auditing on the SAM"
I attempted to enable auditing on the SAM and SECURITY keys in HKEY_LOCAL_MACHINE. However the method that is suggested will not work on our servers and it fails with an "Unable to initialise DLL" error as it is trying to Access "C:\WINNT\SYSTEM32\kernel32.dll" which the server has locked up tight.The following is the method described in NT FAQ.
First ensure auditing is enabled on the system using User Manager - Policies menu - Audit.
Select the "Audit These Events". Choose the objects to audit and click OK.
Next make sure the Scheduler service is running on the machine either via the Services Control Panel applet (Start - Settings - Control Panel - Services) or type "net start" and look for "Scheduler". If it is not running you can start by typing
C:\> net start schedule
At the command prompt (cmd.exe) type
C:\> at <time> /interactive "regedt32.exe"
where <time> is a minute in the future.
This works ok right up to the moment the scheduler attempts to open at which time it fails with the error mentioned above.
I have attempted to try the FAQ method on workstations and it works fine, but it failed on the 4 servers I tried it on. The workstation security logs in fact gave me exactly the information I needed after I had turned on Auditing in the registry.
Now the problem ultimately is this:
I need a Tool that will give me detailed information on Groups and Group movements:
IE: "User John Smith has been added to group ADMINS by Backup Operator Lisa Jones".
I am happy to pay a reasonable amount for such a tool if there is one available. I have Checked NT4RK and NT FAQ with no success.
If anyone can suggest either a good tool or a way to get the NT FAQ method above to actually work I would be very grateful.
Our Domain is Mixed NT4/SP5 and Win2k/SP1
