Re: Local PC Admin Group change - Alerts

["Kurt Buff" <kurt.buff () gmail com>]

On 8/16/07, Tinu Koshy (CISD) <tkoshy () adco ae> wrote:
> Dear List,
>
> Is there a way to get information about changes done to the Local
> "Administrators" group of a PC that is attached to the domain. I know
> that it is possible to get information about changes in the user groups
> defined within the AD, but that is not my objective instead my concern
> is about local admin / power user groups within individual PCs connected
> to the domain.
>
> I do not want to check in the event viewer of individiual PCs but hoped
> to see this info come to a central place or to the event viewer of any
> of the domain controllers within the network whose logs are already
> being audited.
>
> If anyone has thought abt this before & know a way to achieve it without
> the installation of any agent on PCs barring a logon batch file if
> necessary, please would you let me know of the same.
>
> Thanks,
> Tinu Koshy
>
> PS: My paranoia comes from the fact that we have over 40 domain
> administrators. I hope to put in a process correction there but only
> once I have some technical controls to back me.

I'd suggest turning up the security logging on the local machines,
then installing something like the SNARE client from sourceforge
(http://www.intersectalliance.com/projects/index.html) - that will
monitor your event logs, and send each event back to your central
syslog server. Also, I've heard good things about EvtSys, but haven't
used it - https://engineering.purdue.edu/ECN/Resources/Documents/UNIX/evtsys/

This, of course, requires a syslog server as well, but there are many
alternatives for that, including *nix (I prefer FreeBSD) and Windows
(I love the Kiwi syslog server). Then it's a simple matter of
monitoring your syslog server(s).

Kurt