DNS entry deletion tracking

04/01/2007, 08h09

Hi Everyone

One of the administrators here deleted an A entry in our 2003 Active
Directory Integrated DNS. Is there a way to track the user who did this? i.e
In Logs? I'm not sure if the will be logged in the security logs of the
Domain Controllers? Would looking for a 564 Security Audit (Object Deleted)
event pick this up?

Your is appreciated

04/01/2007, 14h22

"Brendon B" <BrendonB@discussions.microsoft.com> wrote in message
news:E568207F-68A3-4EF2-8621-FEEB9CE0C658@microsoft.com...
> Hi Everyone
>
> One of the administrators here deleted an A entry in our 2003 Active
> Directory Integrated DNS. Is there a way to track the user who did this?
i.e
> In Logs? I'm not sure if the will be logged in the security logs of the
> Domain Controllers? Would looking for a 564 Security Audit (Object
Deleted)
> event pick this up?

Not unless you have enabled the appropriate auditing setting
(DS objects) AND selected the AD DNS objects to be auditing
with ACLs. (both unlikely.)

> Your is appreciated

Do you perhaps have too many admins?

05/01/2007, 07h43

Hi Martin

That may be the case

We have the following auditing in place on our Domain controllers:

Audit account logon events No auditing
Audit account management Success, Failure
Audit directory service access No auditing
Audit logon events Success, Failure
Audit object access Success, Failure
Audit policy change Success
Audit privilege use Success
Audit process tracking Success
Audit system events Success, Failure

Would this deletion have been covered in one of the categories above?
If so, what event would I have to look for?

Regards
Brendon

05/01/2007, 19h00

"Brendon B" <BrendonB@discussions.microsoft.com> wrote in message
news:51F45B04-C561-47AF-BF80-6FC8C86BF275@microsoft.com...
> Hi Martin
>
> That may be the case
>
> We have the following auditing in place on our Domain controllers:
>
> Audit account logon events No auditing
> Audit account management Success, Failure
> Audit directory service access No auditing

IF this auditing were enabled you
COULD enable auditing on AD objects you wish to monitor
and get the audit records in the security log ( it can get big
and out of control rapidly however.)

> Audit logon events Success, Failure
> Audit object access Success, Failure
> Audit policy change Success
> Audit privilege use Success
> Audit process tracking Success
> Audit system events Success, Failure
>
> Would this deletion have been covered in one of the categories above?

No. And even if you had enabled (success) for the directory
service object access then you would still have needed to enable
the auditing ACLs (like NTFS permissions) on the actual objects
you wished to monitor.

> If so, what event would I have to look for?

Security event log, object access entries for (primarily) success.

04/01/2007, 08h09	#1
Brendon B Messages: n/a Hébergeur:	DNS entry deletion tracking Hi Everyone One of the administrators here deleted an A entry in our 2003 Active Directory Integrated DNS. Is there a way to track the user who did this? i.e In Logs? I'm not sure if the will be logged in the security logs of the Domain Controllers? Would looking for a 564 Security Audit (Object Deleted) event pick this up? Your is appreciated

04/01/2007, 14h22	#2
Herb Martin Messages: n/a Hébergeur:	Re: DNS entry deletion tracking "Brendon B" <BrendonB@discussions.microsoft.com> wrote in message news:E568207F-68A3-4EF2-8621-FEEB9CE0C658@microsoft.com... > Hi Everyone > > One of the administrators here deleted an A entry in our 2003 Active > Directory Integrated DNS. Is there a way to track the user who did this? i.e > In Logs? I'm not sure if the will be logged in the security logs of the > Domain Controllers? Would looking for a 564 Security Audit (Object Deleted) > event pick this up? Not unless you have enabled the appropriate auditing setting (DS objects) AND selected the AD DNS objects to be auditing with ACLs. (both unlikely.) > Your is appreciated Do you perhaps have too many admins?

05/01/2007, 07h43	#3
Brendon B Messages: n/a Hébergeur:	Re: DNS entry deletion tracking Hi Martin That may be the case We have the following auditing in place on our Domain controllers: Audit account logon events No auditing Audit account management Success, Failure Audit directory service access No auditing Audit logon events Success, Failure Audit object access Success, Failure Audit policy change Success Audit privilege use Success Audit process tracking Success Audit system events Success, Failure Would this deletion have been covered in one of the categories above? If so, what event would I have to look for? Regards Brendon

05/01/2007, 19h00	#4
Herb Martin Messages: n/a Hébergeur:	Re: DNS entry deletion tracking "Brendon B" <BrendonB@discussions.microsoft.com> wrote in message news:51F45B04-C561-47AF-BF80-6FC8C86BF275@microsoft.com... > Hi Martin > > That may be the case > > We have the following auditing in place on our Domain controllers: > > Audit account logon events No auditing > Audit account management Success, Failure > Audit directory service access No auditing IF this auditing were enabled you COULD enable auditing on AD objects you wish to monitor and get the audit records in the security log ( it can get big and out of control rapidly however.) > Audit logon events Success, Failure > Audit object access Success, Failure > Audit policy change Success > Audit privilege use Success > Audit process tracking Success > Audit system events Success, Failure > > Would this deletion have been covered in one of the categories above? No. And even if you had enabled (success) for the directory service object access then you would still have needed to enable the auditing ACLs (like NTFS permissions) on the actual objects you wished to monitor. > If so, what event would I have to look for? Security event log, object access entries for (primarily) success.

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email