Event logs in Server

Event logs

%WinDir%\System32\Winevt\Logs

Set maximum log size
Event Viewer -> Select the event log -> Action -> Prorperties -> Max log Size

https://technet.microsoft.com/en-us/library/cc748890.aspx
http://blogs.technet.com/b/askds/archive/2011/08/29/the-security-log-haystack-event-forwarding-and-you.aspx

Powershell

https://technet.microsoft.com/en-us/library/ee176846.aspx

Advertisements

Active Directory Audit users and generate report

Run the following commands in Server 2008  Command prompt

Generate list (csv file output) for active users in AD

csvde -d “ou=Users,DC=ABC,DC=net” -r “(&(objectCategory=person)(objectClass=user)(|(useraccountcontrol=512)(useraccountcontrol=66048)))” -L “sAMAccountName,givenName,sn,description,whenCreated” -f report_sno1.csv

Generate list from Domain Controller containing new user accounts added during the audit period (details : user name in the system, employee name and granted date and time)

csvde -d “ou=Users,DC=ABC,DC=net” -r “(&(objectCategory=person)(objectClass=user)(|(useraccountcontrol=512)(useraccountcontrol=66048))(&(whenCreated>=20130701000000.0Z)(whenCreated<=20131031000000.0Z)))” -L “sAMAccountName,givenName,sn,description,whenCreated” -f report_sno2.csv

Generate list from Domain Controller containing user accounts revoked during the audit period

csvde -d “ou=Users,DC=ABC,DC=net” -r “(&(objectCategory=person)(objectClass=user)(|(useraccountcontrol=514)(useraccountcontrol=66050))(&(whenChanged>=20130701000000.0Z)(whenChanged<=20131031000000.0Z)(whenCreated<=20131031000000.0Z)))” -L “sAMAccountName,givenName,sn,description,whenChanged” -f report_sno3.csv