| Author | Messages | |
kcnychief
Posts:0
 | | 12/16/2009 1:28 PM |
| I'm looking into a few solutions for auditing changes to Active Directory, including GPO related items. I already have a few I'm looking at - but wondering what some of you may be using. I welcome suggestions for viable free utilities or scripts that can get the job done.
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
| | | |
| DLinkOZ
Posts:10
| | 12/16/2009 1:28 PM |
| Far from free, but Netwrix AD Reporter has saved my bacon many times. Just
in terms of potentially missed SLAs, it has paid for itself.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Thursday, October 22, 2009 8:26 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] AD Auditing
I'm looking into a few solutions for auditing changes to Active Directory,
including GPO related items. I already have a few I'm looking at - but
wondering what some of you may be using. I welcome suggestions for viable
free utilities or scripts that can get the job done.
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is
covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521,
and is intended only for the person or entity to which it is addressed and
may contain confidential and/or privileged material. Any unauthorized
review, use, disclosure, dissemination, copying, forwarding or distribution
is prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. If
you are the intended recipient but do not wish to receive communication
through this medium, please so advise the sender immediately.
| | | |
| petertjohnson
Posts:17
| | 12/16/2009 1:28 PM |
| Quest do a really good tool as well.
Kind Regards
Peter Johnson
I.T Architect
South Africa: +27 11 252 1100
Swaziland: +268 442 7000
Mobile: +2783 306 0019
xxxxxxxxxxxxxxxx
This email message (including attachments) contains information which may be confidential and/or legally privileged. Unless you are the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message or from any attachments that were sent with this email, and If you have received this email message in error, please advise the sender by email, and delete the message. Unauthorised disclosure and/or use of information contained in this email may result in civil and criminal liability. Everything in this e-mail and attachments relating to the official business of Peterstow Aquapower is proprietary to the company.
Caution should be observed in placing any reliance upon any information contained in this e-mail, which is not intended to be a representation or inducement to make any decision in relation to Peterstow Aquapower. Any decision taken based on the information provided in this e-mail, should only be made after consultation with appropriate legal, regulatory, tax, technical, business, investment, financial, and accounting advisors. Neither the sender of the e-mail, nor Peterstow Aquapower shall be liable to any party for any direct, indirect or consequential damages, including, without limitation, loss of profit, interruption of business or loss of information, data or software or otherwise.
The e-mail address of the sender may not be used, copied, sold, disclosed or incorporated into any database or mailing list for spamming and/or other marketing purposes without the prior consent of Peterstow Aquapower.
No warranties are created or implied that an employee of Peterstow Aquapower and/or a contractor of Peterstow Aquapower is authorized to create and send this e-mail.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: 22 October 2009 15:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] AD Auditing
Far from free, but Netwrix AD Reporter has saved my bacon many times. Just
in terms of potentially missed SLAs, it has paid for itself.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Thursday, October 22, 2009 8:26 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] AD Auditing
I'm looking into a few solutions for auditing changes to Active Directory,
including GPO related items. I already have a few I'm looking at - but
wondering what some of you may be using. I welcome suggestions for viable
free utilities or scripts that can get the job done.
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is
covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521,
and is intended only for the person or entity to which it is addressed and
may contain confidential and/or privileged material. Any unauthorized
review, use, disclosure, dissemination, copying, forwarding or distribution
is prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. If
you are the intended recipient but do not wish to receive communication
through this medium, please so advise the sender immediately.
| | | |
| jeromelcruz
Posts:120
| | 12/16/2009 1:31 PM |
| Folks,
If you already have access to Microsoft's SCOM (Systems Center Operations Manager) then there is a third party vendor "Add-in Pack" (well, at least one that I'm aware of) that provides additional tools for Group Policy auditing. Look around because if you already have SMOC in place, other vendors may have similar "Add-in Packs" for GPOs and other AD level systems.
Secure Vantage Group Policy Auditing Pack (http://www.securevantage.com/Products/Group_Policy.aspx)
(From their FAQ) What Group Policy Objects are Discovered?
* Account Lockout Policy
* Audit Policy
* Event Log Policy
* File System ACLs
* Kerberos Policy
* Password Policy
* Registry Keys
* Security Options
* System Services
* User Rights Assignments
Jerry Cruz | Group Policies Product Manager | IT Infrastructure | Boeing IT
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Thursday, October 22, 2009 8:48 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] AD Auditing
If you need both AD and GP Auditing then the round-up of products is pretty small. Quest and Netwrix have already been mentioned--I would add Tripwire to the list as well--their AD module does a fair bit of AD and GP auditing, or more specifically change monitoring. NetIQ does GP auditing but not sure about AD auditing.
In terms of free or low cost, you would pretty well have to roll your own. In terms of AD auditing, it wasn't until Server 2008 that MS added before and after values to AD audit events, so before that, you will only get information about what object/attribute changed and who did the change. In terms of native GP auditing, its very limited. You can get the events from AD when a GPC (the AD part of the GPO) object changes, which gives you the GPO that was changed, the attribute that was changed and who made the change, but that is about all. There's no easy way to determine what changed in the GPO, unfortunately.
With the commercial products, keep in mind that there are roughly two ways to get value added audit data from AD and GP. The first is to put agents on your DCs that "inject" into the LSASS process to be able to see what is happening at a level that audit logs don't provide. This method is powerful and you get a lot of data that other methods can't provide, but its also relatively unsupported from an MS perspective and I've seen it cause troubles on AD DCs. The other method is "safer" but usually less complete. That method basically relies on native audit events to find out when something has changed, then keeps snapshots of AD and GP data and compares before and after snapshots to determine changes. This method usually doesn't provide the same depth of auditing that other methods provide and in some circumstances can miss events, but again, is less invasive.
Darren
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Peter Johnson
Sent: Thursday, October 22, 2009 7:01 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] AD Auditing
Quest do a really good tool as well.
Kind Regards
Peter Johnson
I.T Architect
South Africa: +27 11 252 1100
Swaziland: +268 442 7000
Mobile: +2783 306 0019
xxxxxxxxxxxxxxxx
This email message (including attachments) contains information which may be confidential and/or legally privileged. Unless you are the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message or from any attachments that were sent with this email, and If you have received this email message in error, please advise the sender by email, and delete the message. Unauthorised disclosure and/or use of information contained in this email may result in civil and criminal liability. Everything in this e-mail and attachments relating to the official business of Peterstow Aquapower is proprietary to the company.
Caution should be observed in placing any reliance upon any information contained in this e-mail, which is not intended to be a representation or inducement to make any decision in relation to Peterstow Aquapower. Any decision taken based on the information provided in this e-mail, should only be made after consultation with appropriate legal, regulatory, tax, technical, business, investment, financial, and accounting advisors. Neither the sender of the e-mail, nor Peterstow Aquapower shall be liable to any party for any direct, indirect or consequential damages, including, without limitation, loss of profit, interruption of business or loss of information, data or software or otherwise.
The e-mail address of the sender may not be used, copied, sold, disclosed or incorporated into any database or mailing list for spamming and/or other marketing purposes without the prior consent of Peterstow Aquapower.
No warranties are created or implied that an employee of Peterstow Aquapower and/or a contractor of Peterstow Aquapower is authorized to create and send this e-mail.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Urig
Sent: 22 October 2009 15:44
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] AD Auditing
Far from free, but Netwrix AD Reporter has saved my bacon many times. Just
in terms of potentially missed SLAs, it has paid for itself.
-----Original Message-----
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Derek Rose
Sent: Thursday, October 22, 2009 8:26 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] AD Auditing
I'm looking into a few solutions for auditing changes to Active Directory,
including GPO related items. I already have a few I'm looking at - but
wondering what some of you may be using. I welcome suggestions for viable
free utilities or scripts that can get the job done.
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is
covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521,
and is intended only for the person or entity to which it is addressed and
may contain confidential and/or privileged material. Any unauthorized
review, use, disclosure, dissemination, copying, forwarding or distribution
is prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message. If
you are the intended recipient but do not wish to receive communication
through this medium, please so advise the sender immediately.
| | | |
|
|