Hello Mate,

Yup, I've had to deal with a situation like this. We had a disgruntled insider who scripted an attribute modification on an entire OU of accounts that he somehow found that he had rights to be able to modify, and it so happened that we had enabled auditing for the modification of that attribute on user accounts.

Sure enough, by the morning, our disks were entirely depleted of disk space, and we had a situation where users could not log in (DoS). To make a long story short, it was a bad day and we made sure that this would never happen again.

We learnt that there are four ways in which you can prevent something like this from happening -

1. Make sure you have large disks and that you always have a reserve file in place which can be deleted to free up space should it come to this point.

2. Have some sort of alerting mechanism in place, so you can be informed if a large number of events are being generated in a short amount of time.

3. Make sure you've reviewed your auditing settings and that you've only configured auditing for the occurrence of a small set of administrative tasks

AND, most importantly, although not as apparent,...

4. Make sure you know exactly who can perform these tasks to begin with!

Believe it or not, #4 has been SO valuable, because, say for example, if you already know that only 10 people in the company can reset passwords, you can sleep SO much better, than if you have no idea and you're hoping that only a small number of people in your 1,000 user company can reset passwords!

We've actually implemented all these measures in place, and we all sleep so much better.

>- Matt