Auditing...Who Did What and When?

[nick]

We have a file on our server which was modified. Upon checking
permissions it was found that only the IT group had access to this
file. However, extra members were added to the IT group which did not
belong there. Is it possible to find out when those members were
added, and who added them? We had some junior admins. here and I'd
liked to find out which one made the change.

 

[Richard G. Harper]

Unless you already had auditing in place at the time of the changes, there's
no way to go back later and discover who did what.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[nick]

Unless you already had auditing in place at the time of the changes, there's
no way to go back later and discover who did what.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

We have a file on our server which was modified. Upon checking
permissions it was found that only the IT group had access to this
file. However, extra members were added to the IT group which did not
belong there. Is it possible to find out when those members were
added, and who added them? We had some junior admins. here and I'd
liked to find out which one made the change.- Hide quoted text -

- Show quoted text -

Is there a standard way to put auditing in place? Let's say I wanted
to definitely track this information because some admin. gave
permissions, and is blaming the other admin. What's the best way to
keep track of this stuff?

 

[Kurt]

Unless you already had auditing in place at the time of the changes, there's
no way to go back later and discover who did what.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

We have a file on our server which was modified. Upon checking
permissions it was found that only the IT group had access to this
file. However, extra members were added to the IT group which did not
belong there. Is it possible to find out when those members were
added, and who added them? We had some junior admins. here and I'd
liked to find out which one made the change.- Hide quoted text -

- Show quoted text -

Is there a standard way to put auditing in place? Let's say I wanted
to definitely track this information because some admin. gave
permissions, and is blaming the other admin. What's the best way to
keep track of this stuff?

There are tons of things you can audit, and some you can't. There's no
"standard" audit policy. The best thing to do is research auditing -
most of which you can do online for free - then choose the kinds of
things you want to audit and set parameters accordingly.

....kurt

 

[Richard G. Harper]

You can audit pretty much anything that happens but it's not going to be
pretty, easy; and no, there's no "standard" to auditing events. Start by
searching both TechNet and MSDN at microsoft.com for "auditing" and "event
viewer" and you'll find dozens of white papers, reference articles, etc.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Unless you already had auditing in place at the time of the changes,
there's
no way to go back later and discover who did what.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

We have a file on our server which was modified. Upon checking
permissions it was found that only the IT group had access to this
file. However, extra members were added to the IT group which did not
belong there. Is it possible to find out when those members were
added, and who added them? We had some junior admins. here and I'd
liked to find out which one made the change.- Hide quoted text -

- Show quoted text -

Is there a standard way to put auditing in place? Let's say I wanted
to definitely track this information because some admin. gave
permissions, and is blaming the other admin. What's the best way to
keep track of this stuff?

 

[nick]

You can audit pretty much anything that happens but it's not going to be
pretty, easy; and no, there's no "standard" to auditing events. Start by
searching both TechNet and MSDN at microsoft.com for "auditing" and "event
viewer" and you'll find dozens of white papers, reference articles, etc.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

Unless you already had auditing in place at the time of the changes,
there's
no way to go back later and discover who did what.
--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

We have a file on our server which was modified. Upon checking
permissions it was found that only the IT group had access to this
file. However, extra members were added to the IT group which did not
belong there. Is it possible to find out when those members were
added, and who added them? We had some junior admins. here and I'd
liked to find out which one made the change.- Hide quoted text -
- Show quoted text -

Is there a standard way to put auditing in place? Let's say I wanted
to definitely track this information because some admin. gave
permissions, and is blaming the other admin. What's the best way to
keep track of this stuff?- Hide quoted text -

- Show quoted text -

Thanks for the replies!

 

[Richard G. Harper]

You're welcome, and good luck!

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

You can audit pretty much anything that happens but it's not going to be
pretty, easy; and no, there's no "standard" to auditing events. Start by
searching both TechNet and MSDN at microsoft.com for "auditing" and
"event
viewer" and you'll find dozens of white papers, reference articles, etc.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

Unless you already had auditing in place at the time of the changes,
there's
no way to go back later and discover who did what.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ...http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website -http://rgharper.mvps.org/
* HELP us help YOU ...http://www.dts-l.org/goodpost.htm

We have a file on our server which was modified. Upon checking
permissions it was found that only the IT group had access to this
file. However, extra members were added to the IT group which did
not
belong there. Is it possible to find out when those members were
added, and who added them? We had some junior admins. here and I'd
liked to find out which one made the change.- Hide quoted text -

- Show quoted text -

Is there a standard way to put auditing in place? Let's say I wanted
to definitely track this information because some admin. gave
permissions, and is blaming the other admin. What's the best way to
keep track of this stuff?- Hide quoted text -

- Show quoted text -

Thanks for the replies!