Professional Documents
Culture Documents
and it can change the membership of all administrative groups in the domain. Domain Admins (global) Domain Admins has complete control over all domain controllers and all directory content stored in the domain. Server Operators (built-in local) Account Operators (built-in local) Server Operators can perform maintenance tasks, such as backup and restore, on domain controllers. Account Operators can create and manage users and groups in the domain, but it cannot manage service administrator accounts. Backup Operators can perform backup and restore operations on domain controllers.
4. On the Criteria tab of the alert, configure the following advanced criteria. An example is shown in Figure C-1. Field: Event Number Condition: matches regular expression Value: 632|633 Field: Parameter 3 Condition: matches regular expression Value: Domain[ ]Admins|Schema[ ]Admins|Enterprise[ ]Admins
Note Between the square brackets, there is a single space. This format is required for the regular expression to work.
5. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. This will allow alert to suppression to be active only if the computer names, domains, and descriptions are identical. This will stop changes to the monitored groups being missed, as a new alert will be generated (instead of the repeat count increasing on the existing alert). 6. On the Alert tab, configure the Alert Severity as a Security Issue.
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. On the Alert tab, configure the Alert Severity as a Security Issue.
By default, MOM does not resolve SIDs/GUIDs to their friendly names. You can configure the MOM agent to resolve the SIDs/GUIDs by adding the following registry value to the registry using regedit: Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Mission Critical Software\OnePoint Name: ResolveGUID Type: Dword Value: 00000001 After adding this key to the registry, be sure to restart the MOM service. Figure C-4 shows the alert once the registry value has been added.
If the MOM infrastructure is not at SP1 and it is then upgraded, the registry must be configured again, as the SP1 upgrade can remove the registry key.
Condition: equals Value: 566 Field: Description Condition: matches wildcard Value: *Create Child*organizationalUnit*
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. On the Alert tab, configure the Alert Severity as a Security Issue.
1. Under the Active Directory Security rule group, create a new Alert on or Respond to Event rule called Alert on OU Deletion. In the description field, state that it will alert on an OU being deleted. 2. On the Criteria tab of the alert, configure the following advanced criteria. An example is shown in Figure C-6. Field: Event Number Condition: equals Value: 566 Field: Description Condition: matches wildcard Value: *DELETE*organizationalUnit*
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. On the Alert tab, configure the Alert Severity as a Security Issue.
Figure C-7. Advanced critera for the New OU Security Modification alert
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. On the Alert tab, configure the Alert Severity as a Security Issue.
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked, and configure the Alert Severity as a Security Issue. When monitoring GPO creation, you will often have four alerts created per GPO. This is normal, as the event ID is created four times with slightly different values each time in the event log.
3. On the Alert tab, check Enable state alert properties (as shown in Figure C-10), and then click Edit.
4. On the Alert Severity Calculation for State rule, click Add. 5. Add NOT MatchRegEx(AttributeValue(Description), "(Client).*[/$") to the Condition field. On the Alert tab, configure the Alert Severity as a Security Issue (as shown in Figure C-11), and then click OK.
6. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. By enabling the matching regular expression in the alert state, you will prevent alerts from being generated by the domain controller if the domain controller itself updates a GPO (e.g., the Default Domain Controllers policy).
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. On the Alert tab, configure the Alert Severity as a Security Issue.
1. Under the Active Directory Security rule group, create a new Alert on or Respond to Event rule called Alert on GPO being linked. In the description field, state that it will alert when a GPO is linked. 2. On the Criteria tab of the alert, configure the following advanced criteria. An example is shown in Figure C-13. Field: Event Number Condition: equals Value: 566 Field: Description Condition: matches wildcard Value: *Write Property*gPLink*
3. On the Alert Suppression tab, ensure that Computer, Domain, and Description are checked. On the Alert tab, configure the Alert Severity as a Security Issue.
The friendly name can be found by using a script that is included with the Group Policy Management Console. The script DumpGPOInfo.wsf is located by default in C:\Program Files\GPMC\Scripts\, and can be run by passing the common name of the GPO to the script. Following is an example:
Cscript DumpGPOInfo.wsf {3120-016D-11D2-945F-0C0F9} /domain:acme.com
s -- Who can edit this GPO --- Who can edit settings, modify security, and delete this GPO -Domain Admins Enterprise Admins SYSTEM -- Who only has read access -ENTERPRISE DOMAIN CONTROLLERS -- Who has custom permissions -- Where this GPO is linked (Sites,Domain,OU) -ACME.com (Domain) ==============================================
The output of the DumpGPOInfo.wsf script will allow you to easily see which GPO has changed so that you can investigate what has been altered. The GPO alert will tell you who made the changetherefore, the first point of call should be the administrator who made the change so that you can verify that the change was authorized.