RSA Admin

Windows Administrative activity and Policy Changes

Discussion created by RSA Admin Employee on May 6, 2008
Latest reply on Feb 3, 2010 by RSA Admin

This is (sort of) my first post so please go easy on me.

I am currently building an alert view to track all changes to an Active Directory domain.  I was wondering what EventIDs people were looking for as well as any creative ways to correlate the information.  So far I am tracking the following messages:

 

Security_643_Security

Security_643_Security:01

Security_643_Security:02

Security_529_Security

Security_529_Security:01

Security_529_Security:02

Security_632_Security

632_Group_Modified
 

I know there are more out there and "what constitutes admin activity" comes to mind.  I am mostly concerned with changes to domain policy and Domain Administrator Groups.

 

Thanks in Advance!

Outcomes