how to know the ip address of the user making changes to the server

Question

how to know the ip address of the user making changes to the server using the local admin account.
and how to know the changes he is making with local admin account ,keep in mind that no security tools are permitted to be installed .

Answer 1

Hi @la reine de paix

The Audit object access policy handles auditing access to all objects that reside outside of AD. The first use you might think of for this policy is file and folder auditing. You can also use the policy to audit access to any type of Windows object, including registry keys, printers, and services.

Furthermore, to audit access to an object such as a crucial file, you must enable more than just this policy; you must also enable auditing for the specific objects that you want to track. To configure an object’s audit policy:

Open the object's Properties dialog box.
Select the Security tab
Click Advanced.
Select the Auditing tab as shown below

However, be warned: This policy can bog down servers. Audit only crucial objects and audit only for crucial access (e.g., Write access).

The policy has 11 subcategories:
File System
Registry
Kernel Object
SAM
Certification Services
Application Generated
Handle Manipulation
File Share
Filtering Platform Packet Drop
Filtering Platform Connection
Other Object Access Events

refer- Object Access Events

If the Answer is helpful, please click Accept Answer and up-vote, so that it can help others in the community looking for help on similar topics.

Answer 2

Hello,

As far as i know once you configured Audit object access policy, you can do the analysis using Object access events ID. You can refer below links to check different event id's and their meanings,

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-object-access

--please don't forget to upvote and Accept as answer if the reply is helpful--

Thanks,

Mohammed S