?
Solved

Who created/deleted an account/object in Active Directory

Posted on 2006-03-23
7
Medium Priority
?
207 Views
Last Modified: 2013-12-04
Greetings,

Our domain is still running AD 2000 with all 2000 servers.  One of my administrators trusted to administer user accounts in AD accidentally deleted an important account.  The deletion was discovered when we noticed that the account did not have the correct group membership and a three day old creation date.  For some unknown reason no one wants to claim responsibility which is forcing us to find out who did it.  We had auditing set to log Account Management success but for some reason nothing was logged on any server.  If the person connected from their workstation via MMC it would not be logged their.  Does anyone know of a way to find out who created or deleted an account/object in AD if Audit logging is not set or functioning properly?  Currently we are using ldp.exe to trying and get some info but we are not developers who know serious AD internals.  We also tried using repadmin with the /showobjmeta and found that showobjmeta is not available in 2K - only 2003.  Any help would be welcome......
0
Comment
Question by:netadmins
  • 3
  • 2
6 Comments
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16277297
2 things:

1.  I would get this from Quest (it's free):  http://www.quest.com/object_restore_for_active_directory/

2.  Or you can try this:  http://support.microsoft.com/?kbid=840001


And for the future:

http://support.microsoft.com/?kbid=814595


Other than that, Scriptlogic may work, but I don't know since it's now "in the past":

http://www.scriptlogic.com/Active_Directory_Auditing.asp
0
 
LVL 23

Expert Comment

by:TheCleaner
ID: 16282968
I also noticed that Quest also makes: http://www.quest.com/intrust_for_active_directory/

and that will keep change tracking for AD.
0
 

Author Comment

by:netadmins
ID: 16283996
Thanks for the comments guys.  As far as loggin in the future, we already have that taken care of.  I believe Account Management auditing is set to audit "success" by default on DCs but not a single server logged the creation of the account.  That is a separate issue we are troubleshooting.  At this time we are focusing on finding the culprit.  

 - Thecleaner, the individual recreated a new account so we don't have to worry about a restore.  Not unless you think it may yeild some valuable information about who deleted the account...?

We be just as interested in who created the account as we are with who deleted it.  Unfortunately, the "Owner" is Domin Admins rather than the user that created it and the only other detail we have is the creation date/time.  Any ideas on how to pull who created the account out of AD would be most helpful.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Expert Comment

by:TheCleaner
ID: 16284250
I'm unaware of how to do it without 3rd party tools like the above.
0
 

Author Comment

by:netadmins
ID: 16524714
Greetings all,

We contacted Microsoft Support and they told us there is no way to get the information we are looking for.  Auditing is the key so at least we learned a lesson and the next time this happens we will have record.  Not sure how to award points on this one?
0
 

Accepted Solution

by:
GranMod earned 0 total points
ID: 16559930
PAQed with points refunded (500)

GranMod
Community Support Moderator
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Screencast - Getting to Know the Pipeline

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question