October 28, 2008

HOWTO Video: Account auditing for group membership changes

On one of the mailing lists I monitor I noticed many of the SMB admins do not know how to do account auditing. This is quite surprising to me, as I thought it was a given.

To help with this, for those that DON'T know how to do auditing, I have just did a quick 6min screencast to help you along. You can check it out at:


The video will show you how to quickly configure account auditing using the domain security policy and then use free Microsoft tools like EventCombMT to quickly query across all your servers in your domain looking for critical events like 660 (user added to a security group) and 661 (a user removed from a security group). From there... the world is in your hands. You can easily cross query looking for specific accounts etc to accomplish EXACTLY the kind of auditing we are talking about.

The security already exists in the system. You just need to learn how to use it. Hope the video helps.

Posted by SilverStr at October 28, 2008 05:01 PM | TrackBack