Announcement

Collapse
No announcement yet.

AD Change History

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Change History

    Chaps -

    I need an urgent reply to this question as I'm helping with a forensic case...

    Is there a built in accessible log of changes made to user rights, file accesses, user object creation & removal etc etc within AD?

    I believe the OS is 2003 or 2008.

    Thanks in advance.
    Regards

  • #2
    Re: AD Change History

    If Directory Services access auditing is configured, the events should be accesed via the event viewer.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: AD Change History

      Thanks L4ndy - I thought as much - it needs to be configured and is not there by default unfortunately...Cheers

      Comment


      • #4
        Re: AD Change History

        Also auditing is not really suitable for forensic work as an administrator can wipe audit logs at any point (leaving traces of the wipe, but no evidence of the data)
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: AD Change History

          unless you're silently auditing elsewhere :P
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: AD Change History

            Talk to Security Monkey, he'll know:
            http://it.toolbox.com/blogs/securitymonkey/
            http://twitter.com/#!/chiefmonkey
            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment

            Working...
            X