Sarbanes Oxley spawned a whole new segment of the IT industry, auditing for the sake of auditing. Auditing changes within your network is, and always has been, important, but SOX compliance has veered many of the softwares that do this towards the checkbox solution. Just make sure you have auditing in place.
This takes us away from an important aspect of keeping track of network and data changes: how it affects the business. Why track changes to Active Directory if the people (users) who need to know this information have no access to it?
Let’s think of an example, I own a security group that I have asked IT to manage dynamically (see GroupID Automate). I want every single person that is in a home office to be a member of this Active Directory group to be able to VPN based on a GPO. It’s easy to set up based on office location.
One day, somebody in HR makes a mistake and decides that Peoplesoft should have everyone in Cincinatti be in a consistent location (he doesn’t know about the home office program in Cincinatti); Peoplesoft then synchronizes over to AD and my dynamic group loses members. My help desk is flooded with calls from all these users sitting on their couches trying to VPN into the network.
How the heck do I troubleshoot this?
Well, I take a look at the group first in GroupID. I see that 84 of my 412 group members have been removed. I click on the list of names and take a look at the user object of one and see that her address changed. I look at the history on a couple more and see a pattern. They are all in Cincinatti and all of their addresses changed because of a synchronization job from Peoplesoft.
I figured it out and get the problem rectified.
Now, here’s the catch. I’m not in IT. I’m not in HR. I have no access to Change Auditor or ADUC. I’m just a guy in operations managing the work at home project to save the company real estate costs. And I own a group in Active Directory that helps do this.
By giving me access to Active Directory history and auditing, an actual user who is running part of the business, I have just increased productivity for the company. So, if you think a manager should be able to audit when their employees have changed their phone number, or a group owner should know when an admin adds a user, or a user should know if HR changed their title, give them Active Directory auditing for the people, GroupID.