on my test W2K3 DC (a default install) the only thing configured when
talking about auditing is:
SUCCESS for EVERYONE for write property (2x)
I have configured SUCCESS for EVERYONE for DELETE AND DELETE SUBTREE.
Created a DFS root
Deleted the DFS ROOT
The following is what is reported by the security log:
Category: Directory Service Access
ID: 566
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: fTDfs
Object Name:
CN=TEST$\0ADEL:2f48a914-e2d1-49ea-9534-3ebd33dcee9b,CN=Deleted
Objects,DC=ADCORP,DC=LAN
Handle ID: -
Primary User Name: W2K3DC001$
Primary Domain: ADCORP
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator <----------------------this tells you who
did it (in my case it was the administrator)
Client Domain: ADCORP
Client Logon ID: (0x0,0x30554)
Accesses: DELETE
Properties:
DELETE
fTDfs
Additional Info:
Additional Info2:
Access Mask: 0x10000
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Post by Tim KalligonisI just checked the auditing on the DFS-Configuration and it actually is set
to audit EVERYONE - special. One item it is auditing for is DELETE both
success and failure.
Do you know what event ID I would need to search for?
This event would be on a domain controller, correct?
If so, how would I determine which domain controller to look on. In this
domain we have 49 DCs.
"Jorge de Almeida Pinto [MVP]"
Post by Jorge de Almeida Pinto [MVP]I guess auditing of successfull directory access should be enabled on the
DCs
Besides that the container (Dfs-Configuration) that hosts the DFS
namespace should be audited for DELETE actions by the group you want to
be audited. I just checked and that is not enabled by default on that
container
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
Post by Tim KalligonisWindows 2003 all around on the DCs - 2003 Domain and Forest functional level
We delegated control to a DFS root so the division could manage their
own DFS root.
Well someone deleted the DFS root which caused the 200+ DFS links to
disappear as well.
We need to determine who did it.
I've tested in our lab creating and deleting a DFS root and nothing gets
logged to the event logs. How can I determine who deleted the DFS root?
Thanks
Tim