If you remember, I have a complete video on user rights in a previous blog post. In the video I had discussed the basics of user rights including how they are deployed, what controls they provide, and how to properly report on them for your Windows servers.
Now that you know how to report on user rights, as well as how to correctly configure them using Group Policy, we need to ensure that you maintain these settings on each server. This is important for a few reasons:
-
It is easy to set up a Group Policy Object to modify the user rights on any server (or on many servers at one time).
-
The local administrator of the server can control nearly every setting, so it is important to know when user rights change.
With both local controls and Group Policy being able to modify user rights on any server, there needs to be some monitoring of when user rights change. It is not easy to see user rights in a report or get an email from Microsoft tools becausethey are not designed to perform such actions.
I recommend that you use a tool like ADAudit Plus to monitor when user rights change. This can be done easily with the ManageEngine tool, ADAudit Plus. Like any other monitoring that I have discussed with ADAudit Plus, you must first ensure that the Windows servers are auditing correctly by setting up the Audit Policy. For user rights, you will need to enable the “Audit Policy Change” with legacy auditing or “Policy Change: Audit Authorization Policy Change” if using Advanced Auditing. You can see both configurations in Figure 1 and Figure 2, respectfully.
Figure 1. Audit Policy for tracking changes to user rights.
Figure 2. Advanced Audit Policy for tracking changes to user rights.
Now that you have the correct auditing established, you only need to ensure that you have your Windows servers configured in ADAudit Plus. You can do this on the Configuration tab in ADAudit Plus. Then, you just need to view the Server Audit tab: Server Audit Reports: Policy Changes report to see any changes to user rights. You can see what this report looks like in Figure 3.
Figure 3. User rights changes are visible in ADAudit Plus reports.
Now, you can not only report on the current settings, but also you can see when these key user rights change. Not only on one server, but every Windows server! BTW, don’t forget, you can associate an alert to any ADAudit Plus report that you choose!
