https://www.lepide.com/how-to/track-changes-in-active-directory.html
https://www.lepide.com/how-to/audit-chnages-made-to-group-policy-objects.html
https://www.manageengine.com/products/active-directory-audit/windows-security-eventlog-monitoring.html
https://blogs.technet.microsoft.com/askpfeplat/2012/04/22/who-moved-the-ad-cheese/ - исчерпывающая статья о мониторинге AD
https://dzone.com/articles/create-windows-services-in-c - создание сервиса с помощью Visual Studio
https://www.c-sharpcorner.com/article/monitoring-remote-log-remotely-using-wmi-in-C-Sharp-and-net/ - remote log watching using WMI
https://www.loggly.com/ultimate-guide/centralizing-windows-logs/ - про сбор логов на одной машине с помощью подписок (Subscriptions)
https://blog.netwrix.com/2016/01/15/how-to-get-user-logon-session-times-from-event-log/
Файл с Message Templates - %SystemRoot%\system32\adtschema.dll, посмотреть содержимое можно с помощью Resource Hacker

Active Directory related Event IDs

4727 A security-enabled global group was created.
4730 A security-enabled global group was deleted.
4731 A security-enabled local group was created.
4734 A security-enabled local group was deleted.
4735 A security-enabled local group was changed.
4737 A security-enabled global group was changed.
4744 A security-disabled local group was created.
4745 A security-disabled local group was changed.
4748 A security-disabled local group was deleted.
4749 A security-disabled global group was created.
4750 A security-disabled global group was changed.
4753 A security-disabled global group was deleted.
4754 A security-enabled universal group was created.
4755 A security-enabled universal group was changed.
4758 A security-enabled universal group was deleted.
4759 A security-disabled universal group was created.
4760 A security-disabled universal group was changed.
4763 A security-disabled universal group was deleted. 
4764 A group type was changed.
4728 A member was added to a security-enabled global group.
4729 A member was removed from a security-enabled global group.
4732 A member was added to a security-enabled local group.
4733 A member was removed from a security-enabled local group.
4746 A member was added to a security-disabled local group.
4747 A member was removed from a security-disabled local group.
4751 A member was added to a security-disabled global group.
4752 A member was removed from a security-disabled global group.
4756 A member was added to a security-enabled universal group.
4757 A member was removed from a security-enabled universal group.
4761 A member was added to a security-disabled universal group.
4762 A member was removed from a security-disabled universal group.
4780 The ACL was set on accounts which are members of administrators groups.
4720 A user account was created.
4722 A user account was enabled.
4725 A user account was disabled.
4726 A user account was deleted.
4738 A user account was changed.
4740 A user account was locked out.
4767 A user account was unlocked.
4781 The name of an account was changed.
4741 A computer account was created.
4742 A computer account was changed.
4743 A computer account was deleted.
4661 A handle to an object was requested
4662 An operation was performed on an object.
5136 A directory service object was modified.
5137 A directory service object was created.
5138 A directory service object was undeleted
5139 A directory service object was moved.
5141 A directory service object was deleted.
4723 An attempt was made to change an account's password.
4724 An attempt was made to reset an accounts password.
4794 An attempt was made to set the Directory Services Restore Mode administrator password
5376 Credential Manager credentials were backed up.
5377 Credential Manager credentials were restored from a backup.
4624 - An account was successfully logged on.
4634 - An account was logged off.
4800 - Lock
4801 - UnLock
Enter your comment. Wiki syntax is allowed:
 
  • ms_windows_ms_sql/ad_changes_monitoring.txt
  • Last modified: 2019/06/26 10:01
  • by admin