Monitor the Adminstrator

[Mail Man]

Hi 2 Security concerns
First:-
How to make sure Even your Administrator
can not alter and Log files and Audit Policy
Second:-
any good tool which can easily track changes in your Active Directory
like user has been add to or remove from group
permissions has been modified in Folders or Files


Thanks 4 your Time& effort

 

[Linda]

Hi, I can not help you, but just wanted to ask a question,
if you do not mind. I have never used a newsgroup before
and was reading about them and read that you have to sign
up for them and configure your email to accept newsgroup
messages. While on this MS site, I do not see anywhere
that says you have to sign up or do anything besides click
on "post" or "reply" etc. I wrote to someone else earlier
and got the mail back as undeliverable. Then I noticed
that the person, like many others, did not put their email
address on their post like you did. So, I am guessing
that if there is no email address, the person replies to
the post and it looks like a new post on the screen. If
an address is given the replier can respond the same way
or email the person privately. Am I correct in my
assumptions? Is there anything else I should know about
this? If you have posted many times before, do you
usually get responses? Thanks for helping, I appreciate
it! Linda

 

[Steven L Umbach]

You can't realistically restrict an administrator. You can monitor events by
auditing, though an administrator can clear the security log which in itself will
leave an event, and a malicious administrator could modify the security log. While it
is a good idea to audit, you really need to trust people that are administrators and
in W2K for AD, delegation can be used to do most things without making a user an
administrator.

See the link below on auditing. For starts it is a good idea to at least audit
account logon events and account management on domain controllers, logon events on
servers and domain workstations. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

 

[Mail Man]

Hi Linda
this is not MS Site it a Google news Group
and for me when I need to post it ask me to enter my email and
password

I Tried to put fake email to avoid spam but it did not work beacuse
they send send you verification link to your email
hope that answer your question
thanks for passing bye

 

[Mail Man]

Hi Steven
Thanks for your help and if I understood you correctly
the Admin password must be kept with non IT person
after we delegated all activity to be done in AD to other accounts

 

[Torgeir Bakken \(MVP\)]

Hi Linda
this is not MS Site it a Google news Group
and for me when I need to post it ask me to enter my email and
password

I Tried to put fake email to avoid spam but it did not work beacuse
they send send you verification link to your email
hope that answer your question
thanks for passing bye

Hi

Actually, it is a Microsoft newsgroup hosted on Microsoft servers (but
replicated with other non-Microsoft news servers around the world).

It is only when posting through Google you need a valid e-mail address.

 

[Lanwench [MVP - Exchange]]

Hire only admins you can trust.
Enable security auditing.
Set up both "regular user" and "admin equivalent" passwords for all network
admins, and make sure they use their regular user accounts for most of their
work.
Don't give anyone the 'real' domain admin credentials.

 

[Steven L Umbach]

What I mean is that it is best to keep the number of administrators to a minimum of
trusted people and take advantage of AD delegation to do tasks that can be done by a
non administrator instead of giving that person admin powers. I don't necessarily
agree with keeping the admin passwords with non IT people as their will be times
where that will be a problem and you need to have a few people you can trust with the
domain. --- Steve