Who created/deleted an account/object in Active Directory


Our domain is still running AD 2000 with all 2000 servers.  One of my administrators trusted to administer user accounts in AD accidentally deleted an important account.  The deletion was discovered when we noticed that the account did not have the correct group membership and a three day old creation date.  For some unknown reason no one wants to claim responsibility which is forcing us to find out who did it.  We had auditing set to log Account Management success but for some reason nothing was logged on any server.  If the person connected from their workstation via MMC it would not be logged their.  Does anyone know of a way to find out who created or deleted an account/object in AD if Audit logging is not set or functioning properly?  Currently we are using ldp.exe to trying and get some info but we are not developers who know serious AD internals.  We also tried using repadmin with the /showobjmeta and found that showobjmeta is not available in 2K - only 2003.  Any help would be welcome......
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

2 things:

1.  I would get this from Quest (it's free):  http://www.quest.com/object_restore_for_active_directory/

2.  Or you can try this:  http://support.microsoft.com/?kbid=840001

And for the future:


Other than that, Scriptlogic may work, but I don't know since it's now "in the past":

I also noticed that Quest also makes: http://www.quest.com/intrust_for_active_directory/

and that will keep change tracking for AD.
netadminsAuthor Commented:
Thanks for the comments guys.  As far as loggin in the future, we already have that taken care of.  I believe Account Management auditing is set to audit "success" by default on DCs but not a single server logged the creation of the account.  That is a separate issue we are troubleshooting.  At this time we are focusing on finding the culprit.  

 - Thecleaner, the individual recreated a new account so we don't have to worry about a restore.  Not unless you think it may yeild some valuable information about who deleted the account...?

We be just as interested in who created the account as we are with who deleted it.  Unfortunately, the "Owner" is Domin Admins rather than the user that created it and the only other detail we have is the creation date/time.  Any ideas on how to pull who created the account out of AD would be most helpful.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

I'm unaware of how to do it without 3rd party tools like the above.
netadminsAuthor Commented:
Greetings all,

We contacted Microsoft Support and they told us there is no way to get the information we are looking for.  Auditing is the key so at least we learned a lesson and the next time this happens we will have record.  Not sure how to award points on this one?
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.