ADAM object auditing

Discussion in 'Active Directory' started by richwray, Oct 25, 2006.

  1. richwray

    richwray Guest

    Is there anyway to enable object access auditing (or account management) on
    an ADAM partition, which would encompass ALL objects in the partition.

    For example, if anyone changes a User or Group account in an ADAM partition
    it would record a success audit event in the Security log stating who did it,
    etc.

    In the ADAM FAQ there is a sample script but it seems to only set auditing
    on a single object, whereas I'm looking for a way to do all user/group
    objects such that new objects being created would also trigger an entry in
    the log.

    Thanks
     
    richwray, Oct 25, 2006
    #1
    1. Advertisements

  2. richwray

    Lee Flight Guest

    Hi

    audit is possible in ADAM SP1 but it's fairly coarse-grained.
    The tool to use is the security editor in the version of ldp.exe that
    comes with ADAM SP1.

    Right-click a tree node ->Advanced -> Security Descriptor
    check the SACL box, click OK. Click in the SACL pane to add
    SACL. The windows (ADAM administrator) account you use to
    create/modify SACL must have Manage auditing and security log
    rights.
    This tool is very low level so if SACL or the SACL ACE
    setting do no mean much to you then careful study and testing are in order.
    In the security policy on the ADAM instance you will need to enable
    Directroy Service audit.

    The key to audit of all objects is inheritance, *however* auditing
    success on all objects for everyone is going to be very noisy and may
    well hurt performance in production and so is not recommended.

    Reading around the practices for AD audit should give you some
    pointers and then it's a case of deciding what's most important
    for your audit e.g. only child object creation.

    HTH
    Lee Flight
     
    Lee Flight, Oct 25, 2006
    #2
    1. Advertisements

  3. richwray

    richwray Guest

    Thanks, I think that answers my question, however, I need to get the same
    type of output I get from enabling Account Management in AD (all creates,
    modifies and deletes on user/group objects). So, it's apparent this is not
    like AD in that I cannot just check an audit account management success box
    and have it work. Is there an "everyone" group or counterpart in ADAM that
    I could set auditing for at the top of the tree in order to catch similar
    output?

    Thanks!
     
    richwray, Oct 26, 2006
    #3
  4. richwray

    richwray Guest

    Sorry, How do I enable DS auditing in ADAM?
    Thx

     
    richwray, Oct 26, 2006
    #4
  5. richwray

    Lee Flight Guest

    Hi

    the Account Management audit in AD picks up a set of useful
    stuff but AFAIK it is mainly handled through the SAM logic in
    AD. Enabling the audit will not help for ADAM, I guess this
    stems from ADAM schema not having a default user class and
    a less rich concept of group and ADAM having it's own (pseudo) SAM
    logic.

    Assuming that you have a user class in your schema then
    as a test you could try adding two ACEs to the SACL at
    the partition head or suitable child node:

    Trustee: Everyone
    Access Mask: Write Property, Create Child, Delete
    ACE Flags: Inherit (checked), Success, Failure
    Object type: group - class

    and the same again but with

    Object type: user - class

    In the security policy of the server that has the ADAM instance you must
    enable
    Audit directory service access, just as you would for Audit account
    management
    etc.,

    Lee Flight
     
    Lee Flight, Oct 26, 2006
    #5
  6. richwray

    richwray Guest

    Got it - thank you very much!!

    Cheers!



     
    richwray, Oct 26, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.