Monitor file system changes

Discussion in 'Active Directory' started by Dean, Aug 10, 2009.

  1. Dean

    Dean Guest

    Hello,

    I'm not 100% sure this is the correct discussion group but I thought I would
    try here first. I am trying to find out if there is a way to be alerted by
    some installable Microsoft tool when a user makes a change to critical files
    on a file server or a domain admin modifies logon scripts. I know these are
    kind of 2 different questions I just wanted to start here.

    TIA,
    Dean
     
    Dean, Aug 10, 2009
    #1
    1. Advertisements


  2. Well, yes and no as far as which newsgrouup. But you're ok here. Auditing is
    your answer for both parts. There is AD auditing, and then there's file
    system and other resource auditing. Auditing events, will show up in the
    Event logs.

    The following are my notes on Auditing.

    ==================================================================
    Auditing

    AccessEnum for folders:
    http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx

    ShareEnum for shares:
    http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx

    An appropriate need for eventcombnt as opposed to searching through 11 DCs
    everytime.
    http://technet.microsoft.com/en-us/security/cc297183.aspx

    Logon Type Codes Revealed (EventIDs)
    http://www.windowsecurity.com/articles/Logon-Types.html

    Audit logon events: Security Configuration Editor; Security ServicesJan 21,
    2005
    If both account logon and logon audit policy categories are enabled, logons
    that use a domain account generate a logon or logoff event on ...
    http://technet.microsoft.com/en-us/library/cc787567.aspx

    Audit logon events
    If you are auditing successful Audit account logon events on a domain
    controller, then workstation logons do not generate logon audits. ...
    http://technet.microsoft.com/en-us/library/cc976395.aspx

    Audit account logon events
    http://technet.microsoft.com/en-us/library/cc787176(WS.10).aspx

    Auditing failed logon events and account lockouts
    http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

    How to Enable Success Logon Event Logging Dec 1, 2008
    To enable success logon event logging using a local security policy ...
    In the results pane, double-click Audit logon events and ensure that ...
    http://technet.microsoft.com/en-us/library/cc431373.aspx

    Auditing Security Events Best practices: Auditing Jan 21, 2005
    For information about how to enable auditing in the logon event category,
    see Define or modify auditing policy settings for an event ...
    http://technet.microsoft.com/en-us/library/cc778162.aspx

    ---

    Which DC joined my machine to the domain?

    Check the netsetup.log in % SystemRoot %\debug folder.
    Also enable Auditing for Account management on the Default domain
    controllers GPO.
    ==================================================================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Aug 11, 2009
    #2
    1. Advertisements

  3. Dean

    Jorge Silva Guest

    Hi Dean,

    SCOM may be the answer for what you want, have a look at SCOM newsgroups to
    help you with that task. You also can build your own alerts deppind what
    you're looking for.

    --
    I hope that the information above helps you.
    Have a Nice day.

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Jorge Silva
    MVP Directory Services
     
    Jorge Silva, Aug 11, 2009
    #3
  4. Dean

    Jesse1113

    Joined:
    Dec 13, 2011
    Messages:
    13
    Likes Received:
    0
    NetWrix File Server CHange Reporter

    Download NetWrix File Server Change Reporter (NetWrix: #1 for Change Auditing - Simple, Lightweight, Affordable –there is a freeware version and an enterprise version). The tool monitors all changes made to file servers and alerts you whenever a change is made. It will tell you who made the change, when it was made, what was changed, etc.
     
    Jesse1113, Apr 26, 2012
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.