Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Auditing Windows Server 2003

Posted on 2006-05-22
15
Medium Priority
?
272 Views
Last Modified: 2011-10-03
Company has multiple DCs in different states but two main at corporate.  Auditing is enabled for both and all selections are checked.  I wanted to find out who created a user in AD? and when a user was created.

All the info I've found says enable auditing and it'll tell you everything you want to know in Event Viewer, but I'm not finding anything along the lines of user creation.  I see logons/logoffs, privileged use, detailed tracking (have no idea what that means), but nothing on AD user creations.

Some other posting for Server 2000 said to open the user properties and click on the Object tab to see the creation date.  I  don't see this for 2003 AD.

Any ideas? Thanks!
0
Comment
Question by:mdmcq5
  • 8
  • 6
15 Comments
 

Author Comment

by:mdmcq5
ID: 16735510
I have seen this article and have followed the steps to add create and delete on the users OU, so far the only policy set is privileged but everything is checked.
http://support.microsoft.com/default.aspx?scid=kb;en-us;814595

and have seen this EE posting:
http://www.experts-exchange.com/Security/Win_Security/Q_21389186.html?query=user+creation+date+windows+server+2003&clearTAFilter=true
0
 
LVL 22

Expert Comment

by:mcsween
ID: 16735592
This VBScript will give you the create date/time.  Possibly narrow down where to look in the logs.

Modify the "User" variable to match your user.  Be sure to include the full LDAP name.

'~~~~~~START~~~~~~~~~
Option Explicit
Dim user, ADUser
user = "LDAP://CN=UserName,OU=UsersOU,DC=MyDomain,DC=local"
Set ADUser = GetObject(user)
WScript.Echo ADUser.whencreated
'~~~~~~~~End~~~~~~~~~~~
0
 

Author Comment

by:mdmcq5
ID: 16735621
I have no idea how to use that.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mdmcq5
ID: 16735933
i now notice since adding policies, the object tab is now appearing and shows the creation date, but not who created it.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16738325
Hi mdmcq5,

where abouts have you set up your auditing?
0
 

Author Comment

by:mdmcq5
ID: 16738439
In the domain Group Policy and on the users OU.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16739060
hmm well i wold have though the domain policy would have picked this up    strange...
0
 

Author Comment

by:mdmcq5
ID: 16739545
The GPO for the DC had everything checked, just added some more info and now it seems to be auditing
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16739702
what info did you add for it to start?
0
 

Author Comment

by:mdmcq5
ID: 16744467
I checked the  Default Domain Controller Policy and all policies for success/failure were selected. Still, Event Log now showing what I wanted.

I then Configure Auditing for the users Active Directory OU:
Active Directory Users and Computers. Advanced Features. Properties of the OU. Security tab, and then Advanced. Auditing tab, and then Add.

I added success/failure for the following on everyone:
create/delete user objects
create/delete account objects
modify permissions

Once that was done, the Event Log began to show what I wanted to see.
0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 750 total points
ID: 16747459
yup those ones will do it :) cheers
0
 

Author Comment

by:mdmcq5
ID: 16747766
Since you concur :) cheers
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16747775
haha lol! all the best mate
0
 

Author Comment

by:mdmcq5
ID: 16747779
same to you..
good thing you didn't disagree
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16747800
it would have been all over!
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question