How to setup windows logging to capture SCP creation.
Applies to: All versions of Centrify Direct Control
Question: Is there a way to find out who added a user to a Zone in Access Manager?
Answer: You can use ADSIedit to set up auditing on Service Connection Points (i.e. zone objects).
Here are the basic steps you can follow to set auditing within Windows.
In ADSI edit -> search for the zone or container -> right click on the zone or container -> Properties -> Security -> Advanced -> Auditing.
By default, you should see Everyone is being audited. If not, you can click on Add -> Everyone -> "Apply onto" pull drop-down menu and select ServiceConnectionPoint.
You can set the permissions to "Write all Properties". This modifies the existing UNIX profile. You can also create a new one by selecting Create and/or Delete.
Once this is done, any changes made in Centrify DirectControl Console such as adding a new user to zone will show up in the security event log.
Since this audit is per machine/DC based these steps will need to be done on all domain controllers that are used for Centrify as it is possible for any DC to handle the request. This information is not replicated to other DC's.
This is all part of Active Directory auditing and unrelated to Centrify products. This is a recommendation for tools to use for auditing zone object changes.
Example of events being written to the MS Security log:
Event ID 4662 Task Category Directory Service Account
This event contains the name of the account making the addition as well as the User that was added.