C
Chuck Chopp
I can get Account Management events in the security eventlog for certain
specific operations that have been performed on users & groups, such as
creating/deleting a user or group, adding/removing group members, and even
changing certain naming attributes such as the SAM Account Name or the User
Principle Name.
What I can't seem to readily track are actual object naming changes that
involve a change to the RDN of the object itself. For example, in ADUC, you
can hit F2 on a selected user or group and rename the object w/o making any
changes to the SAM Account Name or the User Principle Name. However,
there's no Account Management event generated for this type of change. I'm
thinking that I may need to fall back on using the DirSync control in a
search operation to track this sort of change. It would also be desirable
to track object moves regardless of whether or not the object is renamed so
that I could identify when a user or group moves between a container and an
OU, or vice versa, or between 2 different OUs in the same domain, or even
between domains in the same forest. Ideally, I'd like to capture the rename
or move event, along with both the old & new FDN values for the object and
the object's GUID, too.
Am I missing something obvious in terms of auditing settings for AD that
could be enabled to cause these types of changes to be reported in an eventlog?
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp
Do not send me unsolicited commercial email.
specific operations that have been performed on users & groups, such as
creating/deleting a user or group, adding/removing group members, and even
changing certain naming attributes such as the SAM Account Name or the User
Principle Name.
What I can't seem to readily track are actual object naming changes that
involve a change to the RDN of the object itself. For example, in ADUC, you
can hit F2 on a selected user or group and rename the object w/o making any
changes to the SAM Account Name or the User Principle Name. However,
there's no Account Management event generated for this type of change. I'm
thinking that I may need to fall back on using the DirSync control in a
search operation to track this sort of change. It would also be desirable
to track object moves regardless of whether or not the object is renamed so
that I could identify when a user or group moves between a container and an
OU, or vice versa, or between 2 different OUs in the same domain, or even
between domains in the same forest. Ideally, I'd like to capture the rename
or move event, along with both the old & new FDN values for the object and
the object's GUID, too.
Am I missing something obvious in terms of auditing settings for AD that
could be enabled to cause these types of changes to be reported in an eventlog?
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp
Do not send me unsolicited commercial email.