Windows Security Event Audit Management Pack ver 1.1

This MP is designed as a template to get MOM 2005 administrators started in auditing security events. There are some new features in this version, including GPO auditing. I also included a User Guide with Audit Policy guidance to make this a bit easier for the novice to navigate. This MP audits a large number of Active Directory and Windows security events, including

• User and Group (Active Directory and Local)
• Organization Units
• Group Policy Changes* (new)
• Domain Trusts
• Active Directory Topology (sites, site links, subnets)
• Logon Scripts (SYSVOL)
• User and Group (Active Directory and Local)
• Logon Scripts (SYSVOL)
• Local User and Group Events (disabled by default)

*While GPO auditing is difficult due to esoteric Security event logging (events include GPO GUID, but not the friendly name), I used a response script to retrieve the friendly name of the GPO to address this.

Configuration

To get full functionality from this management pack, you must enable object access auditing in Active Directory for Organizational Units and Group Policies. Additionally, you must enable auditing on the SYSVOL share for login script auditing to succeed. See the user guide for details

WHERE TO GET IT

Download the updated Windows Security Event Audit MP HERE.