Nov 02 2018
06:56 AM
- last edited on
Nov 30 2021
10:06 AM
by
TechCommunityAP
Nov 02 2018
06:56 AM
- last edited on
Nov 30 2021
10:06 AM
by
TechCommunityAP
I am looking for a solution that will notify management whenever a domain admin performs a task. I am not looking for when an DA logs on/off but actually performs an elevated task. For example: Running ADUC from their desktop to edit a user, disable an account, create a security group and other such daily tasks. Auditing is enabled but it appears that unless the DA is actually doing the tasks on a DC the event goes without creating an event log entry. Is ATA a viable solution?
Nov 16 2018 08:36 AM
You could set up the elevated accounts up as honey tokens in ATA and you will get logs/alerts every time the user authenticates using that account. Even that is not really what your asking for so I would say ATA is not the solution for your particular use case.
Nov 21 2018 12:39 AM
You would need a SEIM tool or look at WEFFLES by Jessica Payne. Running ADUC from a workstation won't be captured on a DC but the actions (edit, disable, create) should be if your auditing is done right. Don't forget as well as setting the audit policy GPO, you have to configure the auditing in the SACL