Announcement

Collapse
No announcement yet.

audit permission change

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • audit permission change

    Hi

    I want to know which user change permissions on certain folders.

    I'm suspecting that one of my users know the password of another user,
    and I want to audit the permission change, so I have a proof for that.


    How do I do that?

    Thanks
    Yaniv

  • #2
    Re: audit permission change

    A quick search on these forums for the words enable auditing resulted in a plethera of results. This one should suffice. http://forums.petri.com/showthread.p...nable+auditing

    Learning to search is an essential skill if you are administering a network.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: audit permission change

      First of all, I did a search.
      Second, I've found this post, but didn't found it helpful.

      How it's related to what I asked?
      I don't' want to know if a user is logged on from his computer or another.
      I want to know if a user changed any permission, and who is the user. (On the file server)



      Thanks
      Yaniv

      Comment


      • #4
        Re: audit permission change

        Wonderful tool, that
        http://www.google.co.uk/search?hl=en...n+change&meta=

        Have a look at the very first hit
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: audit permission change

          Originally posted by Yaniv Hoobian View Post
          First of all, I did a search.
          Second, I've found this post, but didn't found it helpful.

          How it's related to what I asked?
          I don't' want to know if a user is logged on from his computer or another.
          I want to know if a user changed any permission, and who is the user. (On the file server)



          Thanks
          Yaniv
          Am I am supposed to be an effing psychic so I know what you have searched for and found.

          It relates to EXACTLY what you asked. Is shows you how to enable auditing and that is what you were asking even though you were fairly economical with your words. I am NOT going to give you step by step instructions on how to perform a task when you are shown how the process works and if you really are an Administrator you should have the nouse to work it out for yourself.
          1 1 was a racehorse.
          2 2 was 1 2.
          1 1 1 1 race 1 day,
          2 2 1 1 2

          Comment


          • #6
            Re: audit permission change

            Originally posted by biggles77 View Post
            Am I am supposed to be an effing psychic so I know what you have searched for and found.
            Yes
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: audit permission change

              biggles77, No, you aren't suppose to , but you should be...

              First off all I'm sorry for the misunderstanding.

              I'll explain more.

              I have the audit configured, but no record ( 560 ) is logged in the security log.


              And Ossian, I did searched Google, but I added "server 2003" to the search so I didn't got your results

              So, i have a problem and need help

              Thanks
              Yaniv

              Comment


              • #8
                Re: audit permission change

                OK, so now we home in on the problem. Run through these and provide clear answers to each, please

                Have you configured auditing of object access through group policy?
                Is the GP applying to the relevant servers (have you checked through GPModelling)?
                Have you configured auditing on the resources you want to audit?
                What auditing have you configured?
                Are you getting any audit events in your security logs?
                Have you checked logs on the servers and DCs?
                Why didn't you say this in your first post -- it looked like you wanted to know HOW to configure auditing?

                Tom
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment


                • #9
                  Re: audit permission change

                  1. I'm not using group policy on this server, I've configured it on the "domain security policy" (the server is a DC)

                  2. I've configured audit for permission change and take ownership. (Success)

                  3. I'm getting other auditing events but not the 560 one.

                  4. In my first post I thought I did something wrong so I wanted to ask how this should be done.

                  5. For my test, I've enabled audit on a certain folder, and then added a user to the security tab, and configured permission for that user.

                  6. I'm assuming that the audit will show administrators action as well, is that true?


                  Thanks
                  Yaniv

                  Comment


                  • #10
                    Re: audit permission change

                    Yaniv,
                    If you configured auditing in "domain security policy" this should apply to the whole domain. Can you confirm it was this and not "domain controllers security policy"

                    You will need to check for audit events on the computer where the activity occurs -- I suggest you enable all audit options, check the events you want are generated, and then turn off unneeded ones. Audit failure as well as success "just in case"

                    If you use Group Policy Modelling or gpresult you should be able to check the audit policy is being applied to the combination of computer and user you are trying, so then just look for the events.
                    Tom Jones
                    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                    PhD, MSc, FIAP, MIITT
                    IT Trainer / Consultant
                    Ossian Ltd
                    Scotland

                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: audit permission change

                      Yes, I can confirm it

                      And I've found the problem.
                      In the domain controller security, the object access auditing was configured as "no auditing"
                      Now the 560 event is logged.

                      But I have another question, looking at the 560 event, I can tell which user changed the permission.
                      How I can tell which permission he changed?


                      Thanks again
                      Yaniv

                      Comment


                      • #12
                        Re: audit permission change

                        Well done on fixing it -- DCSP will override DSP so "no auditing" beat "auditing"

                        I'm not absolutely sure, but I think if the permission changed is not in the event log, you will not have it done
                        Of course, if you see anyone who shouldnt changing permissions, you can ask then!

                        In general, normal users should never be given Full Control precisely because it does let them change permissions -- Modify / Change is the most a non-administrator should need

                        Tom
                        Tom Jones
                        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                        PhD, MSc, FIAP, MIITT
                        IT Trainer / Consultant
                        Ossian Ltd
                        Scotland

                        ** Remember to give credit where credit is due and leave reputation points where appropriate **

                        Comment


                        • #13
                          Re: audit permission change

                          Of course you are right.
                          But my problem is that I think my DBA knows one of my IT team member password.
                          But I need a proof, so I can break his legs...

                          I appreciate any help


                          Thanks
                          Yaniv

                          Comment

                          Working...
                          X