5 Replies Latest reply on Sep 16, 2013 3:45 PM by tmiranda

    Tracking AD changes in LEM

    zmilbach

      I'm fairly new to LEM. I"m trying to create a filter that will show me when someone makes a change to an AD group. Whether it be removing a user from this group or adding a new group altogether. Anyone have a suggestions. I've been looking in the Change Management section but not seeing anything jumping out at me.

       

      The Person that set this up before me has the filter just looking at Auditable Group Events but when ever I add a group or make changes to a group I don't see it come across LEM at all.

       

      Thanks for any insight.

        • Re: Tracking AD changes in LEM
          katebrew

          Hi, I am a new product marketing person at SolarWinds and I'm sorry I don't know this answer.  I've reached out to some technical folks, though, and pointed them at your post, so hopefully we can help you out.

          • Re: Tracking AD changes in LEM
            tmiller_hockey

            In your LEM console, click build then rules.

             

            Look in the left column under folders and find "Rule Library"  open this up and underneath you will see a "Windows/Active Directory" category.  All rules you need for monitoring any group changes/deletions will be located here.

             

            Click the gear wheel on the rule you want to use, select "Clone". This will place the rule in the "Custom Rules" folder.  Go there and edit the rule making changes you want such as who gets notified, etc.  Click apply, then save and don't forget to activate the rule.

            • Re: Tracking AD changes in LEM
              nicole pauls

              Those templates for rules will also be useful when trying to create filters - it will be the same logic that you can use there.

               

              The Auditable Group Events group SHOULD be catching when a user is added/removed from a group, a property change (like the name) is made to that group, that sort of thing. If you're not seeing those events, you might also want to check your domain/local audit policy and make sure those changes are being audited, and then your event log rotation to make sure it's not full or dropping events.

               

              Another approach might be to create a filter that shows you ALL activity from that device (Any Alert.DetectionIP = <that system>) and see everything that's coming in. If you're auditing login activity that might be overwhelming, so you could narrow it to something like "Change Management Events.DetectionIP = <that system>" too.

               

              And, lastly, you could use nDepth to historically search for those group events - from the filter you've got built, hit the left gear and use "send to nDepth". You can expand the timeframe on the right and hit the Play button again to search back through your data farther. That might help identify if there have been any at all.

              • Re: Tracking AD changes in LEM
                zmilbach

                Thanks for the help guys. Did some more digging on our DC's also and found a buried Advanced Audit Configuration we missed. We over looked the DS access and change the policies to Success for Audit Directory Service Access and Audit Directory Service Changes. Thought we had this enabled on a higher level but didn't see this till we drilled even deeper.

                1 of 1 people found this helpful
                • Re: Tracking AD changes in LEM
                  tmiranda

                  You'll also want to make sure you have the LEM agent on all of your DC's.