Change Happens. Users come and go, their properties change, policy needs are revised, and groups have their memberships updated. Changes are made all over your organization, and they eventually find their way to your Domain Controllers where objects are modified and the changes replicate throughout your organization. Keeping tabs on all of these changes is a tricky proposition, but it’s our job to make it simple here at STEALTHbits.
We all know that changes actually happen on DCs, and when the change happens the actual source DC is stamped on the object, so that’s easy to figure out. The much trickier part is understanding where the change request is coming from. It’s only on rare occasions that the application making the request is actually on the DC itself, so the vast majority of the time the changes come from elsewhere – and this is where a good product will give you that leg up on the standard change events that Microsoft provides. Armed with the workstation that the change originated from, the protocol used, and the port bound to for the change, you can answer questions like:
- Which of the services that this service account is running on actually made the change? What machine is it on?
- Where does Bob the Administrator make most of his changes?
- Bob just made 250 changes from CindyWorkStation. Is this an intended set of changes, or is someone getting access to Bob’s account to make an out-of-bounds change?
- Are my admins making their changes on machines in the same site, or are they reaching outside of site boundaries to make changes on DCs that aren’t best for them? Are my sites misconfigured somewhere?
Clearly, this is valuable information and it’s annoying that you can’t get it from Microsoft’s native event logging for AD Changes. Luckily there’s an alternative, and that alternative is StealthINTERCEPT. Direct, in-line integration within the Active Directory event stream itself allows StealthINTERCEPT to elevate hidden change event details to the surface, such as the machine or application a change originated from, providing that missing piece of information that can be critical to making not just good, but informed decisions in the management of your Active Directory implementation.