Title: Group membership changes trigger “Object Security” changes where the WHO CHANGED is reporting “System”

Email It to Me Print this Page
When an account is being added into a user group with high privileges (e.g. Domain Administrators, Enterprise Administrators), the Active Directory Change Summary report may also contain the “Object Security” changes  for the user account which has been added into the group, where the WHO CHANGED is reporting “System” .  For example: John Doe has been added into the Domain Admins users group and the change summary contains 2 changes.  The first change indicates the Domain Group membership changes and the second change indicates  John Doe’s account changes (Object Security).   
 
Change TypeObject TypeWhen ChangedWho ChangedWhere ChangedWorkstationObject NameDetails
Modifiedgroup12/3/2013 7:32:27 AMDOMAINX\administratorptdc.domainx.localptdc.domainx.local, MAC Address: 00:15:5D:02:51:2B\local\domainx\Users\Domain AdminsSecurity Global Group Member: Added: "domainx.local/Users/John Doe”
Change TypeObject TypeWhen ChangedWho ChangedWhere ChangedWorkstationObject NameDetails
Modifieduser12/3/2013 7:21:09 AMsystemunknownunknown\local\domainx\Users\John DoeObject Security: Added: "Permissions: Pre-Windows 2000 Compatible Access (Allow: Read Remote Access Information, Read Account Restrictions, Read General Information, Read Group Membership, List object, Read permissions, Read all properties, List contents, Read Logon Information); NT AUTHORITY\SELF (Allow: Read Private Information, Write Private Information, Private Information); NT AUTHORITY\Authenticated Users (Allow: List object, Read all properties, List contents); Administrators (Allow: List object, Read permissions, Read all properties, Modify Permissions, Write all properties, Delete, All validated writes, List contents, Modify owner, Delete all child objects, Create all child objects, All extended rights); DOMAINX\Enterprise Admins (Allow: List object, Read permissions, Read all properties, Modify Permissions, Write all properties, All validated writes, List contents, Modify owner, Delete all child objects, Create all child objects, All extended rights); Audit: Everyone (Success: Modify Permissions, Write all properties, Modify owner)"
When an account is being added into a high privilege user group, the System (Active Directory) automatically modifies the user account by assigning to it a corresponding set of rights  – in this case, Netwrix Auditor will report both the group membership change (with user name) and the rights assignment event (System).

For more details about what rights assignments correspond to default groups at http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx
 

 
Was this information helpful?