Auditing Windows server events for changes to local accounts and local group membership changes

Windows system administrators can often be tasked with providing security audit logs to show what local user accounts were created, when were they created and who created them. In addition, auditors can also request logs to show when the memberships for local privilege groups such as Administrators, Power Users, Backup Operators and Remote Desktop Users was modified and by who. 

To simplify these tasks, the Windows Server Administrators need to enable auditing in the local security policy and then use their monitoring tools to track certain event IDs from the server Windows Security logs.

Step 1: Enable auditing

For Windows Server 2008, 2012 and 2016, enable "Audit Security Group Management" and "Audit User Account Management" for Success and Failure.

These settings are located under Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management.

Once these settings are enabled, monitor the following events under Security Event Logs.

Event source: Microsoft Windows security auditing

Task Category: Security Group Management

Event ID:

4728 (A member was added to a security-enabled global group),

4729 (A member was removed from a security-enabled global group)

4732 (A member was added to a security-enabled local group),

4733 (A member was removed from a security-enabled local group)

Task Category: User Account Management

Event ID:

4720 (A user account was created),

4722 (A user account was enabled),

4724 (An attempt was made to reset an account's password),

4726 (A user account was deleted),

4738 (A user account was changed)

Guest Reclaim Tool

Guest Reclaim reclaims dead space from NTFS volumes hosted on a thin provisioned SCSI disk. The tool can also reclaim space from full disks and partitions, thereby wiping off the file systems on it. As the tool deals with active data, please take all precautionary measures understanding the SCSI UNMAP framework and backing up important data.

Features

• Reclaim space from Simple FAT/NTFS volumes
• Works on WindowsXP to Windows7
• Can reclaim space from flat partitions and flat disks
• Can work in virtual as well as physical machines

Whats a Thin provisioned (TP) SCSI disks? In a thin provisioned LUN/Disk, physical storage space is allocated on demand. That is, the storage system allocates space as and when a client (example a file system/database) writes data to the storage medium. One primary goal of thin provisioning is to allow for storage overcommit. A thin provisioned disk can be a virtual disk, or a physical LUN/disk exposed from a storage array that supports TP. Virtual disks created as thin disks are exposed as TP disks, starting with virtual Hardware Version 9. 

What is Dead Space Reclamation? Deleting files frees up space on the file system volume. This freed space sticks with the LUN/Disk, until it is released and reclaimed by the underlying storage layer. Free space reclamation allows the lower level storage layer (for example a storage array, or any hypervisor) to repurpose the freed space from one client for some other storage allocation request. For example:

• A storage array that supports thin provisioning can repurpose the reclaimed space to satisfy allocation requests for some other thin provisioned LUN within the same array.
• A hypervisor file system can repurpose the reclaimed space from one virtual disk for satisfying allocation needs of some other virtual disk within the same data store.

GuestReclaim allows transparent reclamation of dead space from NTFS volumes.

System requirements

Thin provisioned (TP) SCSI disk

Space can be reclaimed on SCSI disks that advertise themselves as thin provisioned (TP) devices.

GuestReclaim queries the device for its TP status using standard SCSI primitives like reading the vital product data page (B0 vpd). GuestReclaim will issue SCSI Unmap commands to the underlying storage for reclaiming dead space.

Supported Operating Systems

• Desktop: XP onwards up to Windows 7
• Server: Until Windows 2008

Administrative Privileges
The tool needs to be executed with Administrator privileges.

Supported Filesystem NTFS only.

Download link

http://labs.vmware.com/flings/guest-reclaim

Instructions

The tool is provided as a standalone binary executable. Unzip the package, and it will contain a program. The tool needs to be executed with Administrator privileges.

Run GuestReclaim.exe from the command prompt. Use the --list option to list available thin provisioned disks on the system. If none show up, it means that the first 16 drives are not thin provisioned. Export an environment variableRECLAIM_DEBUG to see verbose output of the TP querying results.