How to Enable & Trackdown user actions concerning files and folders access

image_pdfimage_print

It is important to audit all user actions concerning files and folders access. In this article, the process of enabling files and folders auditing on Windows Server Systems have been explained.

On Windows Server Systems, auditing file and folder accesses consists of two parts:

1. Enable File and Folder auditing which can be done in two ways:

a) Through Group Policy (for Domains, Sites and Organizational Units)
b) Local Security policy (for single Servers)

2. Track-down Events for File and Folders


1 a. Enable Auditing through Group Policy

Run gpedit.msc, configure Default Domain Policy → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit object access → Define “Success and Failures”.
In the “Advanced Audit Policy Configuration” adjust Audit File System → Define “Success and Failures” and Audit Handle Manipulation → Define “Success and Failures”.

1 b. Enable Auditing of Specific Folder

Navigate to the file share, right-click it and select “Properties” → “Security” tab → “Advanced” button → “Auditing” tab → Click “Add” button Select Principal: “Everyone”; Select Type: “All”; Select Applies to: “This folder, subfolders and files”
Select the following “Advanced Permissions”: сreate files/write data, сreate folders/append data, write attributes, write extended attributes.

2. Trackdown Events for File and Folders

Event ID Event Message
4656 A handle to an object was requested
4658 The handle to an object was closed
4660 An object was deleted
4663 An attempt was made to access an object
4685 The state of a transaction has changed
4985 The state of a transaction has changed

How to Unlock vCenter SSO Domain Accounts from the Command Line

image_pdfimage_print

We will require to confirm the existing Domain Name & Site Name as the first step.
Then only we will be able to reset the SSO Domain Account.
The Steps are as follows;

Step 01 – Identifying the Domain Name & Site Name

Begin by SSH to your VCSA.
Discovering your SSO Domain Name:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location -–server-name localhost
/usr/lib/vmware-vmdir/bin/vmafd-cli get-domain-name –server-name localhost

Discovering your SSO Site Name:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name -–server-name localhost

Another option is to use the vdcrepadmin tool with the showservers switch, this will display all of the PSC Appliances and their associated Sites and Domains within the single SSO Domain:

/usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h localhost -u administrator

Step 02 – Resetting the SSO Domain Admin Account

Run the following command:

/usr/lib/vmware-vmdir/bin/vdcadmintool

and select option 3

Type the full username at the Please enter account UPN prompt;
Then you will be able to reset the SSO Domain Admin Account.