General discussion

Locked

Auditing Admins in Active Directory

By jeff.engel ·
An external auditor is requiring that we be able to audit administrator activity on our AD network while restricting the authority from the admins to turn off the auditing when they want to to cover their tracks. We're looking for a way to do this without using a 3rd party. Any help would be appreciated. Thanks

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Auditing Admins in Active Directory

by timwalsh In reply to Auditing Admins in Active ...

Are there specific types of activities (i.e. security-related)that need to be auditied, or any and all activities?

Do only administrator activiti4es conducted on domain controllers need auditing, or activites relating to all computers on the network?

Security-related auditing is included as a feature in Group Policy. You can audit such things as log-on / log-off, account management, privilege use, access to specific objects, etc. While Win2K will allow you to very granularly define who has permissions to conduct certain tasks, there will always be at least 1 administrator who has permission to do everything.

If your auditing needs go beyond simple security auditing, you will need 3rd party software (if it exists), because Windows does not include this capability natively.

Collapse -

Auditing Admins in Active Directory

by jeff.engel In reply to Auditing Admins in Active ...

Any and all activities must be audited on the domain and on all computers...and as you mentioned, Win2K does not (at least not openly) provide a way of doing this natively. We were just double-checking to make sure we hadn't overlooked something.

Collapse -

Auditing Admins in Active Directory

by Gigelul In reply to Auditing Admins in Active ...

If I understand correct you want to audit Admin activity. By default you can't stop admins to disable the audit. You must have trust in their activities (change admins).

Collapse -

Auditing Admins in Active Directory

by jeff.engel In reply to Auditing Admins in Active ...

That would be the logical solution...but its not good enough for the auditors.

Collapse -

Auditing Admins in Active Directory

by mfischer In reply to Auditing Admins in Active ...

Supporting the previous answer. It is NOT possible to restrict an administrator in any way. Logically it would defeat the purpose of HAVING an admin would it not? The only way that you could effectively do any monitoring is to use spyware withoutthe admin's knowledge. Even then an administrator would have sufficient rights, and permissions to disable it if it were discovered. I would question the knowledge of the auditors if they are suggesting that you do the impossible without suggesting how it would be done.

Collapse -

Auditing Admins in Active Directory

by jeff.engel In reply to Auditing Admins in Active ...

As we thought. Now that we've ruled out AD doing it natively, does anybody know of any 3rd-party utilities that could do this? Thanks again

Collapse -

Auditing Admins in Active Directory

by pschuvie In reply to Auditing Admins in Active ...

Seems like time to go back to the auditors and ask a few questions

1. Why do you require this, what is the precedence for it?

2. Have you ever seen it done on any system, if so who can you contact regarding it?

3. Have you ever seen it doneon a Windows system, again if so who can they recommend to contact.

Somehow I get the picture of an auditor outside its realm of expertise recommending the improbable based on some unproven theory (paranoia), either that or the last audit was foran outfit that used dual command posts not within the reach of each other and required simultaneous insertion of keys. Wait aren't all those silos inactive?

Good luck on your search, and please post your solution as this would be one to know forsure.

Collapse -

Auditing Admins in Active Directory

by jeff.engel In reply to Auditing Admins in Active ...

1.) Auditors require it, Novell has this capability
2.) Answer above, not seen ever on Windows systems
3.) Nope, and they made no recommendations

Since Novell has this capability they won't bother us. But with a planned move to Active Directory, we will fall out of their requirements.

Back to Networks Forum
8 total posts (Page 1 of 1)  

Related Discussions

Related Forums