If you remember, I have a complete video on user rights in a previous blog post. In the  video I had discussed the basics of user rights including how they are deployed, what controls they provide, and how to properly report on them for your Windows servers.

Now that you know how to report on user rights, as well as how to correctly configure them using Group Policy, we need to ensure that you maintain these settings on each server. This is important for a few reasons:

  1. It is easy to set up a Group Policy Object to modify the user rights on any server (or on many servers at one time).

  2. The local administrator of the server can control nearly every setting, so it is important to know when user rights change.

With both local controls and Group Policy being able to modify user rights on any server, there needs to be some monitoring of when user rights change. It is not easy to see user rights in a report or get an email from Microsoft tools becausethey are not designed to perform such actions.

Keep track of user right changes in real-time with ADAudit Plus. Know more | Download free trial.

I recommend that you use a tool like ADAudit Plus to monitor when user rights change. This can be done easily with the ManageEngine tool, ADAudit Plus. Like any other monitoring that I have discussed with ADAudit Plus, you must first ensure that the Windows servers are auditing correctly by setting up the Audit Policy. For user rights, you will need to enable the “Audit Policy Change” with legacy auditing or “Policy Change: Audit Authorization Policy Change” if using Advanced Auditing. You can see both configurations in Figure 1 and Figure 2, respectfully.

user rights figure 1

Figure 1. Audit Policy for tracking changes to user rights.

user rights figure 2

Figure 2. Advanced Audit Policy for tracking changes to user rights.

Now that you have the correct auditing established, you only need to ensure that you have your Windows servers configured in ADAudit Plus. You can do this on the Configuration tab in ADAudit Plus. Then, you just need to view the Server Audit tab: Server Audit Reports: Policy Changes report to see any changes to user rights. You can see what this report looks like in Figure 3.

user rights figure 3

Figure 3. User rights changes are visible in ADAudit Plus reports.

Now, you can not only report on the current settings, but also you can see when these key user rights change. Not only on one server, but every Windows server! BTW, don’t forget, you can associate an alert to any ADAudit Plus report that you choose!