Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Can mom monitor changes in Directory/share ACL's?
- Thread starter swabs
- Start date
- Thread starter
- #2
I am getting closer.....
I have enabled auditing on a folder for "change permissions". I then created a new rule group in MOM and a new alert that looks for security event id 560. This will tell me when an ACL has changed. It lets me know the file and who made the ACL change. The one major part I can get it to do is to report back to me which user/group now has access or was removed from an ACL. Below the user that made the change was "Administrator" but the user that was given access was "adtest\test3" to the file c:\acl\test3.txt. Anyone know how to get the event to show this?
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\acl\test3.txt
Handle ID: 1628
Operation ID: {0,17659332}
Process ID: 1548
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: ADTEST
Primary Logon ID: (0x0,0x10436)
Client User Name: administrator
Client Domain: ADTEST
Client Logon ID: (0x0,0x10436)
Accesses: READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACCESS_SYS_SEC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Restricted Sid Count: 0
Access Mask: 0x10E0000
I have enabled auditing on a folder for "change permissions". I then created a new rule group in MOM and a new alert that looks for security event id 560. This will tell me when an ACL has changed. It lets me know the file and who made the ACL change. The one major part I can get it to do is to report back to me which user/group now has access or was removed from an ACL. Below the user that made the change was "Administrator" but the user that was given access was "adtest\test3" to the file c:\acl\test3.txt. Anyone know how to get the event to show this?
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\acl\test3.txt
Handle ID: 1628
Operation ID: {0,17659332}
Process ID: 1548
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: administrator
Primary Domain: ADTEST
Primary Logon ID: (0x0,0x10436)
Client User Name: administrator
Client Domain: ADTEST
Client Logon ID: (0x0,0x10436)
Accesses: READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACCESS_SYS_SEC
Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
Restricted Sid Count: 0
Access Mask: 0x10E0000
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question