Group membership changes trigger “Object Security” changes where the WHO CHANGED is reporting “System”

Active Directory
Reporting
6.5 and older
7.0-8.5
9.0-9.7
9.8
https://kb.netwrix.com/271
Copy Article URL Copied

When an account is being added into a user group with high privileges (e.g. Domain Administrators, Enterprise Administrators), the Active Directory Change Summary report may also contain the “Object Security” changes  for the user account which has been added into the group, where the WHO CHANGED is reporting “System” .  For example: John Doe has been added into the Domain Admins users group and the change summary contains 2 changes.  The first change indicates the Domain Group membership changes and the second change indicates  John Doe’s account changes (Object Security).

Change Type Object Type When Changed Who Changed Where Changed Workstation Object Name Details
Modified group 12/3/2013 7:32:27 AM DOMAINXadministrator ptdc.domainx.local ptdc.domainx.local, MAC Address: 00:15:5D:02:51:2B localdomainxUsersDomain Admins Security Global Group Member: Added: “domainx.local/Users/John Doe”
Change Type Object Type When Changed Who Changed Where Changed Workstation Object Name Details
Modified user 12/3/2013 7:21:09 AM system unknown unknown localdomainxUsersJohn Doe Object Security: Added: “Permissions: Pre-Windows 2000 Compatible Access (Allow: Read Remote Access Information, Read Account Restrictions, Read General Information, Read Group Membership, List object, Read permissions, Read all properties, List contents, Read Logon Information); NT AUTHORITYSELF (Allow: Read Private Information, Write Private Information, Private Information); NT AUTHORITYAuthenticated Users (Allow: List object, Read all properties, List contents); Administrators (Allow: List object, Read permissions, Read all properties, Modify Permissions, Write all properties, Delete, All validated writes, List contents, Modify owner, Delete all child objects, Create all child objects, All extended rights); DOMAINXEnterprise Admins (Allow: List object, Read permissions, Read all properties, Modify Permissions, Write all properties, All validated writes, List contents, Modify owner, Delete all child objects, Create all child objects, All extended rights); Audit: Everyone (Success: Modify Permissions, Write all properties, Modify owner)”

When an account is being added into a high privilege user group, the System (Active Directory) automatically modifies the user account by assigning to it a corresponding set of rights  – in this case, Netwrix Auditor will report both the group membership change (with user name) and the rights assignment event (System).

For more details about what rights assignments correspond to default groups at http://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

Go Up