Trying to audit active directory account operations

All questions related to installations, configurations and maintenance of Advanced Host Monitor (including additional tools such as RMA for Windows, RMA Manager, Web Servie, RCC).
Post Reply
fenixryan
Posts: 4
Joined: Thu Nov 05, 2009 10:05 am

Trying to audit active directory account operations

Post by fenixryan »

Hi,
Backround:

We have a 2003 active directory domain with multiple helpdesk admins. I wish to audit their creation of accounts and computer objects on the domain.
I have setup hostmonitor v8.28 to monitor the three domain servers event logs for the items I list below. This to provide a seperate audit log file to easily parse.

Here is what I want to achieve

User Account Created (624)
User Account Deletion (630)
Computer Account Created (645)
Computer Account Deleted (647)

Now I have setup 3 individual tests timed in 10 minute intervals...

When they run they are only returning the odd change but not all, what am I doing wrong.
Help appreciated. Can it be done?????
The settings for each test are

Image[/img]
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

User Account Created (624)
User Account Deletion (630)
Computer Account Created (645)
Computer Account Deleted (647)
As I see you have added just 1st and 2nd event ID into list.
I think you should add event ID 645 and 647 as well.
Also I don't think you need to use "Description contains" filter for these events. You may set this parameter to "Description contains: any text"

Regards
Alex
Top
fenixryan
Posts: 4
Joined: Thu Nov 05, 2009 10:05 am

thanks alex

Post by fenixryan »

Hi I've added event ID 645 and 647 and set to "Description contains: any text"
but still no joy, I created a couple of test users and deleted them at random times with two different admin accounts only one changed was flagged???!!!
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

How many records do you see in the log when you removed user account? Do you see appropriate record for each operation?

Regards
Alex
Top
fenixryan
Posts: 4
Joined: Thu Nov 05, 2009 10:05 am

Post by fenixryan »

I see all the changes in the security event log with the corresponding admin accounts that have made the changes.
Top
fenixryan
Posts: 4
Joined: Thu Nov 05, 2009 10:05 am

Post by fenixryan »

also getting this:

Message from HostMonitor (host changed status)

Test : NTLog \\Valencia:Security\Security
Method: check NT Event Log
Status : Unknown
Date : 09/11/2009 14:41:22
Reply : System Error. Code: 87.
The parameter is incorrect

Recurrences : 1
Last status: Ok
Total tests: 397
Alive ratio : 96.22 %
Dead ratio: 3.27 %

Folder: Account Audit
Top
KS-Soft
Posts: 13012
Joined: Wed Apr 03, 2002 6:00 pm
Location: USA
Contact:
Contact KS-Soft

Post by KS-Soft »

Status : Unknown
Reply : System Error. Code: 87.
The parameter is incorrect
This means Event Log API returns error when HostMonitor tries to request data. That's probably why HostMonitor cannot retireve information about some events.
Some Microsoft articles state there were bugs in IIS and MS SQL server that lead to such error. But unfortunately we cannot find anything useful about this error in relation to Event Log :(

Regards
Alex
Top
Post Reply

Return to “Configuration, Maintenance, Troubleshooting”