Announcement

Collapse
No announcement yet.

Tracking AD administrator activity

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Tracking AD administrator activity

    Howdy guys

    Does anyone know how to track which systems administrator did what to Active Directory?

    We recently had a whole bunch of user accounts, a WHOLE bunch, deleted, none of the IT team will admit to doing it. Needless to say, the IT team ended up looking fairly incompetent to senior mgt.

    Only core members of the IT team have administrator access, no one else has it.

    If there's a way to track that kind of activity, does anyone know it?

    All the best

    JHH

  • #2
    Re: Tracking AD administrator activity

    Auditing is your best friend. In this specific case auditing of "Account Management" is what you are looking for.
    I hope you do not have admins sharing generic admin accounts, as in this case there is no way to figure out who did what...
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Tracking AD administrator activity

      Thanks for replying pal

      The admins all have separate accounts, there's no generics - thankfully.

      Does the auditing of Account Management have to be in place BEFORE the incident occured or can you successfully audit retrospectively?

      Cheers

      A

      Comment


      • #4
        Re: Tracking AD administrator activity

        Auditing has to be configured before. There is no way to track something that happened while auditing was tured off.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Tracking AD administrator activity

          OK, are there any third party tools that retrospectively audit user account deletion?

          Comment


          • #6
            Re: Tracking AD administrator activity

            Also remember that you have to enable auditing on all DC's (Edit the Default Domain Controllers Policy) And when checking the event log you need to check the logs on all DC's as admins could bind to different DC's

            Michael
            Michael Armstrong
            www.m80arm.co.uk
            MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            Comment


            • #7
              Re: Tracking AD administrator activity

              Originally posted by johnhenryshammer
              OK, are there any third party tools that retrospectively audit user account deletion?
              Sorry to say but this is kinda like asking if there's a tape recorder that can record a conversation I had in the past...
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment

              Working...
              X