none
AD帳號異動LOG RRS feed

解答

  • Dear :

     

    將AD物件稽核功能開啟
     
    Enable auditing in Default Domain Controller Policy.
     
    a)Open Active Directory Users & Computers
    b)Right click “Domain Controllers” container, select “Properties”, then select “Group Policy” tab
    c)Highlight “Default Domain Controllers Policy”, click “Edit”
    d)The setting is under “Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access”
    e)Double click to open it, check “Define these policy…”, then check both “Success” and “Failure”
    f) Ok to close it. Close the GPO Editor. OK to close “domain controllers properties” windows
     
    Wait for the new policy setting to be effective (normally 5 minutes)
     
    Enable auditing on the AD object(s) individually (I take windows 2000 as example)
     
    a)Open Active Directory Users & Computers
    b)Right click the user you want to enable auditing,  select “properties”, select “Security”, click on “Advanced”, select “Auditing” tab
    c)Click “add” button, in the Object Picker window, type "everyone", click “OK”
    d)In "Auditing Entry for xxx" dialog, select "properties"
    e)For “apply onto” dropdown list, select an appropriate type (* Objects)
    f)Select the Write permission on the attribute ShowInAddressBook to audit in Access box.
    g)Close OK to close all windows
     
    Alternatively, you can also enable a bunch of users for auditing all at once:
    a)Do exactly the same steps as step "Enable auditing on the AD object(s) individually", but select an OU in step b.) instead of a single user
     
    However, based on my testing, it will not work on the Contact objects..
     
     
    在AD Server上的安全事件檢視器搜尋ID 566可知誰去修改
     
    Event Type: Success Audit
    Event Source: Security
    Event Category: Directory Service Access
    Event ID: 566
    Date:  2005/7/29
    Time:  下午 05:39:02
    User:  MICROSOFT\Administrator
    Computer: DC01
    Description:
    Object Operation:
      Object Server: DS
      Operation Type: Object Access
      Object Type: contact
      Object Name: CN=KennyChen,OU=GTSC,DC=microsoft,DC=com  <--被修改的物件
      Handle ID: -
      Primary User Name: DC01$
      Primary Domain: MICROSOFT
      Primary Logon ID: (0x0,0x3E7)
      Client User Name: Administrator <-- 誰修改的
      Client Domain: MICROSOFT
      Client Logon ID: (0x0,0x1A2283)
      Accesses: Write Property
      
      Properties:
     Write Property
      Public Information
       showInAddressBook
     contact
     
      Additional Info:
      Additional Info2:
      Access Mask: 0x20

    以上資訊提供你參考

     

     

    2008年7月15日 下午 02:34