|
|
The applications in our location that use our ADAM directories should
return a limited number (less than 20) of entries per query. We would
like to log every query that exceeds that amount. By changing the
Field Engineering Diagnostics setting to 5 and adding a Expensive
Search Results Threshold Parameter, I was able to log the query
information. This works great when an AD account ran the query, since
the account shows up next to User: in the log entry. Unfortunately,
no user information appears when the query is ran using an ADAM
account. I tried changing different parameters to get the login/
binding information to appear in the Event Logs with no luck. Is
there a special parameter that I need to add to create a log entry
whenever someone authenticates to an ADAM directory with an ADAM
account? Is there some other way to determine who submitted the query?
|
|
Hi
I do not think that the Field Engineering event log entries will populate
the User column of the ADAM instance event log for a native ADAM
user - I think they need a windows security principal (context) for that.
To get a security log audit when a native ADAM user connects to
an instance you need "Audit account logon events" enabled in
the server security policy of the server housing the instance.
However you would then have to try and correlate those entries
to the Field Engineering logging.
Beyond that options are directory services audit by setting a SACL
but that would audit all accesses with no regard to thresholds and
off the top of my head I cannot recall the status of audit for native
ADAM users.
Further input from me will likely be delayed due to holidays,
Lee Flight
"drm" <don.mai[ at ]westernsouthernlife.com> wrote in message
news:112b1028-dd7a-4d4f-b790-077345d0719c[ at ]k41g2000yqn.googlegroups.com...
[Quoted Text] > The applications in our location that use our ADAM directories should
> return a limited number (less than 20) of entries per query. We would
> like to log every query that exceeds that amount. By changing the
> Field Engineering Diagnostics setting to 5 and adding a Expensive
> Search Results Threshold Parameter, I was able to log the query
> information. This works great when an AD account ran the query, since
> the account shows up next to User: in the log entry. Unfortunately,
> no user information appears when the query is ran using an ADAM
> account. I tried changing different parameters to get the login/
> binding information to appear in the Event Logs with no luck. Is
> there a special parameter that I need to add to create a log entry
> whenever someone authenticates to an ADAM directory with an ADAM
> account? Is there some other way to determine who submitted the query?
|
|
On Dec 23, 7:43 pm, "Lee Flight" <l...[ at ]le.ac.uk-nospam> wrote:
[Quoted Text] > Hi
>
> I do not think that the Field Engineering event log entries will populate
> the User column of the ADAM instance event log for a native ADAM
> user - I think they need a windows security principal (context) for that.
>
> To get a security log audit when a native ADAM user connects to
> an instance you need "Audit account logon events" enabled in
> the server security policy of the server housing the instance.
> However you would then have to try and correlate those entries
> to the Field Engineering logging.
>
> Beyond that options are directory services audit by setting a SACL
> but that would audit all accesses with no regard to thresholds and
> off the top of my head I cannot recall the status of audit for native
> ADAM users.
>
> Further input from me will likely be delayed due to holidays,
> Lee Flight
>
> "drm" <don....[ at ]westernsouthernlife.com> wrote in message
>
> news:112b1028-dd7a-4d4f-b790-077345d0719c[ at ]k41g2000yqn.googlegroups.com...
>
>
>
> > The applications in our location that use our ADAM directories should
> > return a limited number (less than 20) of entries per query. We would
> > like to log every query that exceeds that amount. By changing the
> > Field Engineering Diagnostics setting to 5 and adding a Expensive
> > Search Results Threshold Parameter, I was able to log the query
> > information. This works great when an AD account ran the query, since
> > the account shows up next to User: in the log entry. Unfortunately,
> > no user information appears when the query is ran using an ADAM
> > account. I tried changing different parameters to get the login/
> > binding information to appear in the Event Logs with no luck. Is
> > there a special parameter that I need to add to create a log entry
> > whenever someone authenticates to an ADAM directory with an ADAM
> > account? Is there some other way to determine who submitted the query?- Hide quoted text -
>
> - Show quoted text -
Thanks. Unfortunately, I need someone on our server management team
to change the domain security policy for our ADAM servers and this
will not happen until next week.
A not-to-distant future project involves using SEIM tools. Hopefully
I can use that to correlate the security logs and the Field
Engineering logs or at least limit the search.
|
|
A question about policies limiting search result size comes up from time to
time. From my perspective, such policy makes little sense, because any
search can be split into a set of smaller searches. For example, if you want
to prevent somebody from enumerating all objects in a partition, they can
always run a series of searches:
(name>=a) && (name<b)
(name>=b) && (name<c)
....
(name>=z)
That will end up returning the complete resultset anyway.
--
Dmitri Gavrilov
SDE, Exchange
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"drm" <don.mai[ at ]westernsouthernlife.com> wrote in message
news:efba7e93-22b0-4cdb-b5dc-1cc15bc11de1[ at ]l38g2000vba.googlegroups.com...
On Dec 23, 7:43 pm, "Lee Flight" <l...[ at ]le.ac.uk-nospam> wrote:
[Quoted Text] > Hi
>
> I do not think that the Field Engineering event log entries will populate
> the User column of the ADAM instance event log for a native ADAM
> user - I think they need a windows security principal (context) for that.
>
> To get a security log audit when a native ADAM user connects to
> an instance you need "Audit account logon events" enabled in
> the server security policy of the server housing the instance.
> However you would then have to try and correlate those entries
> to the Field Engineering logging.
>
> Beyond that options are directory services audit by setting a SACL
> but that would audit all accesses with no regard to thresholds and
> off the top of my head I cannot recall the status of audit for native
> ADAM users.
>
> Further input from me will likely be delayed due to holidays,
> Lee Flight
>
> "drm" <don....[ at ]westernsouthernlife.com> wrote in message
>
> news:112b1028-dd7a-4d4f-b790-077345d0719c[ at ]k41g2000yqn.googlegroups.com...
>
>
>
> > The applications in our location that use our ADAM directories should
> > return a limited number (less than 20) of entries per query. We would
> > like to log every query that exceeds that amount. By changing the
> > Field Engineering Diagnostics setting to 5 and adding a Expensive
> > Search Results Threshold Parameter, I was able to log the query
> > information. This works great when an AD account ran the query, since
> > the account shows up next to User: in the log entry. Unfortunately,
> > no user information appears when the query is ran using an ADAM
> > account. I tried changing different parameters to get the login/
> > binding information to appear in the Event Logs with no luck. Is
> > there a special parameter that I need to add to create a log entry
> > whenever someone authenticates to an ADAM directory with an ADAM
> > account? Is there some other way to determine who submitted the query?-
> > Hide quoted text -
>
> - Show quoted text -
Thanks. Unfortunately, I need someone on our server management team
to change the domain security policy for our ADAM servers and this
will not happen until next week.
A not-to-distant future project involves using SEIM tools. Hopefully
I can use that to correlate the security logs and the Field
Engineering logs or at least limit the search.
|
|
On Dec 24, 2:46 pm, drm <don....[ at ]westernsouthernlife.com> wrote:
[Quoted Text] > On Dec 23, 7:43 pm, "Lee Flight" <l...[ at ]le.ac.uk-nospam> wrote:
>
>
>
>
>
> > Hi
>
> > I do not think that the Field Engineering event log entries will populate
> > the User column of the ADAM instance event log for a native ADAM
> > user - I think they need a windows security principal (context) for that.
>
> > To get a security log audit when a native ADAM user connects to
> > an instance you need "Audit account logon events" enabled in
> > the server security policy of the server housing the instance.
> > However you would then have to try and correlate those entries
> > to the Field Engineering logging.
>
> > Beyond that options are directory services audit by setting a SACL
> > but that would audit all accesses with no regard to thresholds and
> > off the top of my head I cannot recall the status of audit for native
> > ADAM users.
>
> > Further input from me will likely be delayed due to holidays,
> > Lee Flight
>
> > "drm" <don....[ at ]westernsouthernlife.com> wrote in message
>
> >news:112b1028-dd7a-4d4f-b790-077345d0719c[ at ]k41g2000yqn.googlegroups.com....
>
> > > The applications in our location that use our ADAM directories should
> > > return a limited number (less than 20) of entries per query. We would
> > > like to log every query that exceeds that amount. By changing the
> > > Field Engineering Diagnostics setting to 5 and adding a Expensive
> > > Search Results Threshold Parameter, I was able to log the query
> > > information. This works great when an AD account ran the query, since
> > > the account shows up next to User: in the log entry. Unfortunately,
> > > no user information appears when the query is ran using an ADAM
> > > account. I tried changing different parameters to get the login/
> > > binding information to appear in the Event Logs with no luck. Is
> > > there a special parameter that I need to add to create a log entry
> > > whenever someone authenticates to an ADAM directory with an ADAM
> > > account? Is there some other way to determine who submitted the query?- Hide quoted text -
>
> > - Show quoted text -
>
> Thanks. Unfortunately, I need someone on our server management team
> to change the domain security policy for our ADAM servers and this
> will not happen until next week.
>
> A not-to-distant future project involves using SEIM tools. Hopefully
> I can use that to correlate the security logs and the Field
> Engineering logs or at least limit the search.- Hide quoted text -
>
> - Show quoted text -
I checked the log entries after the security policy was updated and no
logs were generated. Do I need to change a registry setting or add a
parameter like I did for the query?
While checking this out, I noticed some Success Audit security log
entries with an Event_ID of 697. These show up on the test box I am
using and on another server with an ADAM instance where the security
policy was not changed. I traced the activity to a monitoring tool
that queries the directory to verify that it is functioning properly.
The Username in the log is the service account not the ADAM account.
According to the security policy on that box, it only creates a
success log on Audit account management.
|
|
On Dec 30, 11:59 am, drm <don....[ at ]westernsouthernlife.com> wrote:
[Quoted Text] > On Dec 24, 2:46 pm, drm <don....[ at ]westernsouthernlife.com> wrote:
>
>
>
>
>
> > On Dec 23, 7:43 pm, "Lee Flight" <l...[ at ]le.ac.uk-nospam> wrote:
>
> > > Hi
>
> > > I do not think that the Field Engineering event log entries will populate
> > > the User column of the ADAM instance event log for a native ADAM
> > > user - I think they need a windows security principal (context) for that.
>
> > > To get a security log audit when a native ADAM user connects to
> > > an instance you need "Audit account logon events" enabled in
> > > the server security policy of the server housing the instance.
> > > However you would then have to try and correlate those entries
> > > to the Field Engineering logging.
>
> > > Beyond that options are directory services audit by setting a SACL
> > > but that would audit all accesses with no regard to thresholds and
> > > off the top of my head I cannot recall the status of audit for native
> > > ADAM users.
>
> > > Further input from me will likely be delayed due to holidays,
> > > Lee Flight
>
> > > "drm" <don....[ at ]westernsouthernlife.com> wrote in message
>
> > >news:112b1028-dd7a-4d4f-b790-077345d0719c[ at ]k41g2000yqn.googlegroups.com....
>
> > > > The applications in our location that use our ADAM directories should
> > > > return a limited number (less than 20) of entries per query. We would
> > > > like to log every query that exceeds that amount. By changing the
> > > > Field Engineering Diagnostics setting to 5 and adding a Expensive
> > > > Search Results Threshold Parameter, I was able to log the query
> > > > information. This works great when an AD account ran the query, since
> > > > the account shows up next to User: in the log entry. Unfortunately,
> > > > no user information appears when the query is ran using an ADAM
> > > > account. I tried changing different parameters to get the login/
> > > > binding information to appear in the Event Logs with no luck. Is
> > > > there a special parameter that I need to add to create a log entry
> > > > whenever someone authenticates to an ADAM directory with an ADAM
> > > > account? Is there some other way to determine who submitted the query?- Hide quoted text -
>
> > > - Show quoted text -
>
> > Thanks. Unfortunately, I need someone on our server management team
> > to change the domain security policy for our ADAM servers and this
> > will not happen until next week.
>
> > A not-to-distant future project involves using SEIM tools. Hopefully
> > I can use that to correlate the security logs and the Field
> > Engineering logs or at least limit the search.- Hide quoted text -
>
> > - Show quoted text -
>
> I checked the log entries after the security policy was updated and no
> logs were generated. Do I need to change a registry setting or add a
> parameter like I did for the query?
>
> While checking this out, I noticed some Success Audit security log
> entries with an Event_ID of 697. These show up on the test box I am
> using and on another server with an ADAM instance where the security
> policy was not changed. I traced the activity to a monitoring tool
> that queries the directory to verify that it is functioning properly.
> The Username in the log is the service account not the ADAM account.
> According to the security policy on that box, it only creates a
> success log on Audit account management.- Hide quoted text -
>
> - Show quoted text -
To Dmitri,
Thanks for you comments. Based on that, we may need to log all
queries and use a monitoring tool that will alert us when there is
unusual such as this.
|
|
Hi
so if you look at the effective local security policy on the ADAM
instance server do you need to see "Audit account logon events"
enabled for Success/Failure - note this is different from
"Audit account management".
Note also that if you are using an account other than Network Service
for the ADAM instance service account you will need to grant that
account "Generate security audits" right in User Rights Assignment
of the ADAM instance server.
You should see something like:
==
Event Type: Success Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 30/12/2008
Time: 18:23:44
User: S-1-480278077-1953285538-3517650413-1122209673-3100121259-1677648243
Computer: VPC-MEM2
Description:
Logon attempt by: ADAM_instance1
Logon account: CN=test6,OU=myusers,O=msft
Source Workstation: 127.0.0.1
Error Code: 0x0
==
Lee Flight
"drm" <don.mai[ at ]westernsouthernlife.com> wrote in message
news:48919174-b9e1-4873-94c3-7cba8d16f14f[ at ]v4g2000vbb.googlegroups.com...
On Dec 24, 2:46 pm, drm <don....[ at ]westernsouthernlife.com> wrote:
[Quoted Text] > On Dec 23, 7:43 pm, "Lee Flight" <l...[ at ]le.ac.uk-nospam> wrote:
>
>
>
>
>
> > Hi
>
> > I do not think that the Field Engineering event log entries will
> > populate
> > the User column of the ADAM instance event log for a native ADAM
> > user - I think they need a windows security principal (context) for
> > that.
>
> > To get a security log audit when a native ADAM user connects to
> > an instance you need "Audit account logon events" enabled in
> > the server security policy of the server housing the instance.
> > However you would then have to try and correlate those entries
> > to the Field Engineering logging.
>
> > Beyond that options are directory services audit by setting a SACL
> > but that would audit all accesses with no regard to thresholds and
> > off the top of my head I cannot recall the status of audit for native
> > ADAM users.
>
> > Further input from me will likely be delayed due to holidays,
> > Lee Flight
>
> > "drm" <don....[ at ]westernsouthernlife.com> wrote in message
>
> >news:112b1028-dd7a-4d4f-b790-077345d0719c[ at ]k41g2000yqn.googlegroups.com...
>
> > > The applications in our location that use our ADAM directories should
> > > return a limited number (less than 20) of entries per query. We would
> > > like to log every query that exceeds that amount. By changing the
> > > Field Engineering Diagnostics setting to 5 and adding a Expensive
> > > Search Results Threshold Parameter, I was able to log the query
> > > information. This works great when an AD account ran the query, since
> > > the account shows up next to User: in the log entry. Unfortunately,
> > > no user information appears when the query is ran using an ADAM
> > > account. I tried changing different parameters to get the login/
> > > binding information to appear in the Event Logs with no luck. Is
> > > there a special parameter that I need to add to create a log entry
> > > whenever someone authenticates to an ADAM directory with an ADAM
> > > account? Is there some other way to determine who submitted the
> > > query?- Hide quoted text -
>
> > - Show quoted text -
>
> Thanks. Unfortunately, I need someone on our server management team
> to change the domain security policy for our ADAM servers and this
> will not happen until next week.
>
> A not-to-distant future project involves using SEIM tools. Hopefully
> I can use that to correlate the security logs and the Field
> Engineering logs or at least limit the search.- Hide quoted text -
>
> - Show quoted text -
I checked the log entries after the security policy was updated and no
logs were generated. Do I need to change a registry setting or add a
parameter like I did for the query?
While checking this out, I noticed some Success Audit security log
entries with an Event_ID of 697. These show up on the test box I am
using and on another server with an ADAM instance where the security
policy was not changed. I traced the activity to a monitoring tool
that queries the directory to verify that it is functioning properly.
The Username in the log is the service account not the ADAM account.
According to the security policy on that box, it only creates a
success log on Audit account management.
|
|
|