Monitor Active Directory Account Activity Without Losing Your Hair
Why the reference to losing your hair? I remember working on 
a project where one of my responsibilities was to monitor Active Directory account activity. We used an on premise solution designed specifically for monitoring and archiving domain controller security events including account modifications. The SQL backend database was a bear to maintain as I spent more than half of my time on database maintenance. The product produced very useful reports and helpful email alerts but maintaining it proved to be a bit much. We eventually opted to drop the product.
Powershell can be a very powerful tool for generating spreadsheets on password expirations. I love Powershell and its underlying technology but this isn't the best solution for everyone. What most organizations need is a way to focus on the results and not so much the technology itself. So, choose whatever poison that works best for.
To help make matters a bit easier regardless of the tool you are using I've listed a few common events to filter against. You can use these with Powershell or the Event Log parser of your choice.
Account Delete Events
There are two possible events to filter against for this one. Either 630 or 4726. Event 630 is logged in Windows 2000 and Windows 2003. Whereas event 4726 is logged for Windows 2008, Vista and Windows 7. Therefore, in order to have complete coverage you really want to filter against both of these events. In this case your filter will look like this:
(Event ID = "630") or (Event ID = "4726")
Global Security Group Activity
Similar to account deletion events, there are two events types to filter against for full coverage. Those events are 632 and 4728. Event 632 covers Windows 2000 and Windows 2003, while 4728 cover Windows 2008, Vista and Windows 7. Do you see a pattern here. If you have a solution that monitors only for the 632 events, you may not be capturing Windows 2008 events if you have upgraded all of your domain controller. Your filter will look like this:
(Event ID = "632") or (Event ID = "4728")
Account Lockouts
Experienced Active Directory administrators know this event like the back of their hands along with all of the corresponding fields. That is the ever famous even 644. Expect a call to the helpdesk moments after seeing this alert. But don't forget to include its Windows 2008 cousin event 4740. Here's your filter:
(Event ID = "644") or (Event ID = "4740")
Domain Password Policy Changes
You HAVE to monitor for these events. It is not unusual to walk into an organization and find system administrators with more rights than they require. To often they are in the Domain Admins group when they should not be. Therefore, they can make changes to the domain password policy. Be sure to monitor these events closely:
(Event ID = "643") or (Event ID = "4739")
We've barely scraped the surface of the tip of the iceberg when it comes to monitoring Active Directory account activity. For details on auditing directory service access go here.
An Easier Way
Personally, I love the technology and I enjoy playing with the various filters. However, many others do not have time for this, especially overworked system administrators that simply cannot find enough time in the day. This is where a software as a service (SaaS) solution can be extremely helpful.
Take a look at the below screenshot for example. This is a simple account activity report generated with our cloud-based remote infrastructure monitoring solution. I apologize for the shameless plug but we were able to generate this simple report in a matter of minutes with just a few clicks. These days with technolog moving as quickly as it is we need solutions that focus on results and not the technology itself. But hey there are others out there as well. What are some of your favorites? Share your thoughts in the comments section!
