Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
ms_windows_ms_sql:ad_changes_monitoring [2019/06/05 11:57] adminms_windows_ms_sql:ad_changes_monitoring [2019/06/26 10:01] (current) admin
Line 1: Line 1:
 +https://www.lepide.com/how-to/track-changes-in-active-directory.html \\
 +https://www.lepide.com/how-to/audit-chnages-made-to-group-policy-objects.html \\
 +https://www.manageengine.com/products/active-directory-audit/windows-security-eventlog-monitoring.html \\
 +https://blogs.technet.microsoft.com/askpfeplat/2012/04/22/who-moved-the-ad-cheese/ - исчерпывающая статья о мониторинге AD \\
 +https://dzone.com/articles/create-windows-services-in-c - создание сервиса с помощью Visual Studio\\
 +https://www.c-sharpcorner.com/article/monitoring-remote-log-remotely-using-wmi-in-C-Sharp-and-net/ - remote log watching using WMI \\
 +https://www.loggly.com/ultimate-guide/centralizing-windows-logs/ - про сбор логов на одной машине с помощью подписок (Subscriptions)\\
 +https://blog.netwrix.com/2016/01/15/how-to-get-user-logon-session-times-from-event-log/ \\
 +Файл с **Message Templates** - **%SystemRoot%\system32\adtschema.dll**, посмотреть содержимое можно с помощью [[http://www.angusj.com/resourcehacker/#download|Resource Hacker]]
 +
 +====== Active Directory related Event IDs ======
 +===== Groups related Event IDs =====
 +<code>
 +4727 A security-enabled global group was created.
 +4730 A security-enabled global group was deleted.
 +4731 A security-enabled local group was created.
 +4734 A security-enabled local group was deleted.
 +4735 A security-enabled local group was changed.
 +4737 A security-enabled global group was changed.
 +4744 A security-disabled local group was created.
 +4745 A security-disabled local group was changed.
 +4748 A security-disabled local group was deleted.
 +4749 A security-disabled global group was created.
 +4750 A security-disabled global group was changed.
 +4753 A security-disabled global group was deleted.
 +4754 A security-enabled universal group was created.
 +4755 A security-enabled universal group was changed.
 +4758 A security-enabled universal group was deleted.
 +4759 A security-disabled universal group was created.
 +4760 A security-disabled universal group was changed.
 +4763 A security-disabled universal group was deleted. 
 +4764 A group type was changed.
 +</code>
 +===== Group members related Event IDs =====
 +<code>
 +4728 A member was added to a security-enabled global group.
 +4729 A member was removed from a security-enabled global group.
 +4732 A member was added to a security-enabled local group.
 +4733 A member was removed from a security-enabled local group.
 +4746 A member was added to a security-disabled local group.
 +4747 A member was removed from a security-disabled local group.
 +4751 A member was added to a security-disabled global group.
 +4752 A member was removed from a security-disabled global group.
 +4756 A member was added to a security-enabled universal group.
 +4757 A member was removed from a security-enabled universal group.
 +4761 A member was added to a security-disabled universal group.
 +4762 A member was removed from a security-disabled universal group.
 +4780 The ACL was set on accounts which are members of administrators groups.
 +</code>
 +===== User Accounts related Event IDs =====
 +<code>
 +4720 A user account was created.
 +4722 A user account was enabled.
 +4725 A user account was disabled.
 +4726 A user account was deleted.
 +4738 A user account was changed.
 +4740 A user account was locked out.
 +4767 A user account was unlocked.
 +4781 The name of an account was changed.
 +</code>
 +===== Computer Accounts related Event IDs =====
 +<code>
 +4741 A computer account was created.
 +4742 A computer account was changed.
 +4743 A computer account was deleted.
 +</code>
 +===== AD Objects related Event IDs =====
 +<code>
 +4661 A handle to an object was requested
 +4662 An operation was performed on an object.
 +5136 A directory service object was modified.
 +5137 A directory service object was created.
 +5138 A directory service object was undeleted
 +5139 A directory service object was moved.
 +5141 A directory service object was deleted.
 +</code>
 +===== Credentials and Passwords related Event IDs =====
 +<code>
 +4723 An attempt was made to change an account's password.
 +4724 An attempt was made to reset an accounts password.
 +4794 An attempt was made to set the Directory Services Restore Mode administrator password
 +5376 Credential Manager credentials were backed up.
 +5377 Credential Manager credentials were restored from a backup.
 +</code>
 +
 +===== User LogOn/LogOff, Computer Lock/Unlock Events ======
 +  4624 - An account was successfully logged on.
 +  4634 - An account was logged off.
 +  4800 - Lock
 +  4801 - UnLock
  
  • ms_windows_ms_sql/ad_changes_monitoring.txt
  • Last modified: 2019/06/26 10:01
  • by admin