Recently some strange permissioning changes have taken
place in our domain. At the same time, the Domain User
group has been placed into the Domain Admin group as well
as into the Local Admin group on a couple of servers. I
believe it is a remote admin making the changes but of
course there is denial there.

Could some one explain to me how to set up auditing and
what I should audit to watch for changes to group
membership and file and directory permission changes?

Thanks in advance for your help.

At the domain policy level, I'd audit everything under Windows ->
Security -> Local -> Audit.

As far as setting it up is concerned, it's just group policy, at the domain
level. And you can find about 20 different tutorials and documents on
TechNet about setting up auditing for files/folders, domains, and even
specifically for intrusion detection.

That last one can be found here:

http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

"David Fausto" wrote in message
news:16c5801c44899$a1bfe340$a601280a@phx.gbl...
> Recently some strange permissioning changes have taken
> place in our domain. At the same time, the Domain User
> group has been placed into the Domain Admin group as well
> as into the Local Admin group on a couple of servers. I
> believe it is a remote admin making the changes but of
> course there is denial there.
>
> Could some one explain to me how to set up auditing and
> what I should audit to watch for changes to group
> membership and file and directory permission changes?
>
> Thanks in advance for your help.