October 28, 2008
HOWTO Video: Account auditing for group membership changes
On one of the mailing lists I monitor I noticed many of the SMB admins do not know how to do account auditing. This is quite surprising to me, as I thought it was a given.
The video will show you how to quickly configure account auditing using the domain security policy and then use free Microsoft tools like EventCombMT to quickly query across all your servers in your domain looking for critical events like 660 (user added to a security group) and 661 (a user removed from a security group). From there... the world is in your hands. You can easily cross query looking for specific accounts etc to accomplish EXACTLY the kind of auditing we are talking about.