Who created/deleted an account/object in Active Directory


Our domain is still running AD 2000 with all 2000 servers.  One of my administrators trusted to administer user accounts in AD accidentally deleted an important account.  The deletion was discovered when we noticed that the account did not have the correct group membership and a three day old creation date.  For some unknown reason no one wants to claim responsibility which is forcing us to find out who did it.  We had auditing set to log Account Management success but for some reason nothing was logged on any server.  If the person connected from their workstation via MMC it would not be logged their.  Does anyone know of a way to find out who created or deleted an account/object in AD if Audit logging is not set or functioning properly?  Currently we are using ldp.exe to trying and get some info but we are not developers who know serious AD internals.  We also tried using repadmin with the /showobjmeta and found that showobjmeta is not available in 2K - only 2003.  Any help would be welcome......
Who is Participating?
PAQed with points refunded (500)

Community Support Moderator
2 things:

1.  I would get this from Quest (it's free):  http://www.quest.com/object_restore_for_active_directory/

2.  Or you can try this:  http://support.microsoft.com/?kbid=840001

And for the future:


Other than that, Scriptlogic may work, but I don't know since it's now "in the past":

I also noticed that Quest also makes: http://www.quest.com/intrust_for_active_directory/

and that will keep change tracking for AD.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

netadminsAuthor Commented:
Thanks for the comments guys.  As far as loggin in the future, we already have that taken care of.  I believe Account Management auditing is set to audit "success" by default on DCs but not a single server logged the creation of the account.  That is a separate issue we are troubleshooting.  At this time we are focusing on finding the culprit.  

 - Thecleaner, the individual recreated a new account so we don't have to worry about a restore.  Not unless you think it may yeild some valuable information about who deleted the account...?

We be just as interested in who created the account as we are with who deleted it.  Unfortunately, the "Owner" is Domin Admins rather than the user that created it and the only other detail we have is the creation date/time.  Any ideas on how to pull who created the account out of AD would be most helpful.
I'm unaware of how to do it without 3rd party tools like the above.
netadminsAuthor Commented:
Greetings all,

We contacted Microsoft Support and they told us there is no way to get the information we are looking for.  Auditing is the key so at least we learned a lesson and the next time this happens we will have record.  Not sure how to award points on this one?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.