Active Directory Witch Hunt!

Someone moved one of my OU's earlier today, I need to know who did it!

Are there any audit logs for Active Directory?

Where Do I find them?
LVL 16
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Okay, Event ID 566.

Do bear in mind that just having the policy enabled isn't enough. You need a System Access Control List set to tell it what events it should audit.

Doesn't hurt to look though.

A move would have a number of Events associated with it. The text looks vaguely like this (made it generate one in my test domain):

Object Operation:
       Object Server:      DS
       Operation Type:      Object Access
       Object Type:      user
       Object Name:      CN=John Doe,CN=Users,DC=test,DC=com
       Handle ID:      -
       Primary User Name:      DC-01$
       Primary Domain:      TEST
       Primary Logon ID:      (0x0,me)
       Client User Name:      me
       Client Domain:      TEST
       Client Logon ID:      (0x0,StillMe)
       Accesses:      Write Property
      Write Property
            Public Information

       Additional Info:      CN=John Doe,CN=Users,DC=test,DC=com
       Additional Info2:      CN=Users,DC=test,DC=com
       Access Mask:      0x20

I'm lazy so I'd probably throw a little script together to look through the log for me :)

Chris DentPowerShell DeveloperCommented:

Only if you enabled Auditing and set up audit ACLs on your directory structure. They get logged to the Security Log if you did.

I'm afraid there's nothing in place by default.

McExpAuthor Commented:
We've usually got most auditing on, which security log do I go and check?

Will it be on all DC's?
Chris DentPowerShell DeveloperCommented:

It will be spread across each of your DCs. It depends which one the user was connected to when making the change. Lots of them?

McExpAuthor Commented:
We have Auditing turned on. What event number should I be looking for?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.