AD帳號異動LOG RRS feed


  • Dear :


    Enable auditing in Default Domain Controller Policy.
    a)Open Active Directory Users & Computers
    b)Right click “Domain Controllers” container, select “Properties”, then select “Group Policy” tab
    c)Highlight “Default Domain Controllers Policy”, click “Edit”
    d)The setting is under “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access”
    e)Double click to open it, check “Define these policy…”, then check both “Success” and “Failure”
    f) Ok to close it. Close the GPO Editor. OK to close “domain controllers properties” windows
    Wait for the new policy setting to be effective (normally 5 minutes)
    Enable auditing on the AD object(s) individually (I take windows 2000 as example)
    a)Open Active Directory Users & Computers
    b)Right click the user you want to enable auditing,  select “properties”, select “Security”, click on “Advanced”, select “Auditing” tab
    c)Click “add” button, in the Object Picker window, type "everyone", click “OK”
    d)In "Auditing Entry for xxx" dialog, select "properties"
    e)For “apply onto” dropdown list, select an appropriate type (* Objects)
    f)Select the Write permission on the attribute ShowInAddressBook to audit in Access box.
    g)Close OK to close all windows
    Alternatively, you can also enable a bunch of users for auditing all at once:
    a)Do exactly the same steps as step "Enable auditing on the AD object(s) individually", but select an OU in step b.) instead of a single user
    However, based on my testing, it will not work on the Contact objects..
    在AD Server上的安全事件檢視器搜尋ID 566可知誰去修改
    Event Type: Success Audit
    Event Source: Security
    Event Category: Directory Service Access
    Event ID: 566
    Date:  2005/7/29
    Time:  下午 05:39:02
    User:  MICROSOFT\Administrator
    Computer: DC01
    Object Operation:
      Object Server: DS
      Operation Type: Object Access
      Object Type: contact
      Object Name: CN=KennyChen,OU=GTSC,DC=microsoft,DC=com  <--被修改的物件
      Handle ID: -
      Primary User Name: DC01$
      Primary Domain: MICROSOFT
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: Administrator <-- 誰修改的
      Client Domain: MICROSOFT
      Client Logon ID: (0x0,0x1A2283)
      Accesses: Write Property
     Write Property
      Public Information
      Additional Info:
      Additional Info2:
      Access Mask: 0x20




    2008年7月15日 下午 02:34