Getting Data In

Monitoring User Activity in Active Directory

linuxprophet
New Member

How do I monitor user account creation in AD?

I need to accomplish the following:

  1. Who created the user?
  2. What privileges were given to the new user?
  3. What did the user do with the account once the account was created?

Thank you.

Tags (1)
0 Karma

carltonflintoff
New Member

Could you please confirm about your windows server environment ? You can configure the auditing policy to track all the activities made in active directory by users. Please refer to this link that will assist you in right direction about how to enable auditing policy in active directory : http://support.microsoft.com/kb/814595

In addition, you can have a look at this automated solution available at (www.lepide.com/active-directory-audit/) that seems to be more suitable option and can be a better alternative approach that covers all the aspects you have mentioned in your description. It monitor all the activities made in active directory at granular level and alerts instantly by sending customized email report of all critical changes with real time monitoring.

0 Karma

dolejh76
Communicator

If Splunk can do all this - why would you invest in another 3rd party solution?

JD

0 Karma

clymbouris
Path Finder

Just monitoring your DCs security logs while executing the tasks will help you figure out the event codes you need to index. Note that win2003 and win2008 security logs have different event codes

For account changes in 2k8 DC (created,deleted,disabled etc) look for the events 4722,4725,4720,4726,4740,4767.

If you're short on bandwidth then be warned that AD security log is huge so rex your winsecurity logs in the transforms.conf and allow only eventcodes you want to get through.

You should try infigo's windows security app also

sdaniels
Splunk Employee
Splunk Employee

This will help you get started with AD monitoring.

http://docs.splunk.com/Documentation/Splunk/latest/Data/AuditActiveDirectory

Splunk is also working on a Splunk for Microsoft Active Directory application as well.

linuxprophet
New Member

Thank you.
I had read the documentation severally prior to posting.
I however am not a Windows man and could use some help.

The *nix app is fine for telling me who logged in, lastlog parsing and so on, but I need to be able to forward only what I specified in the initial post to the indexer.
The Windows deployment is set up as a heavy forwarder.

Any Windows gurus out there?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...