Active Directory Witch Hunt!

Posted on 2009-05-01
Last Modified: 2012-05-06
Someone moved one of my OU's earlier today, I need to know who did it!

Are there any audit logs for Active Directory?

Where Do I find them?
Question by:McExp
    LVL 70

    Expert Comment

    by:Chris Dent

    Only if you enabled Auditing and set up audit ACLs on your directory structure. They get logged to the Security Log if you did.

    I'm afraid there's nothing in place by default.

    LVL 16

    Author Comment

    We've usually got most auditing on, which security log do I go and check?

    Will it be on all DC's?
    LVL 70

    Expert Comment

    by:Chris Dent

    It will be spread across each of your DCs. It depends which one the user was connected to when making the change. Lots of them?

    LVL 16

    Author Comment

    We have Auditing turned on. What event number should I be looking for?
    LVL 70

    Accepted Solution


    Okay, Event ID 566.

    Do bear in mind that just having the policy enabled isn't enough. You need a System Access Control List set to tell it what events it should audit.

    Doesn't hurt to look though.

    A move would have a number of Events associated with it. The text looks vaguely like this (made it generate one in my test domain):

    Object Operation:
           Object Server:      DS
           Operation Type:      Object Access
           Object Type:      user
           Object Name:      CN=John Doe,CN=Users,DC=test,DC=com
           Handle ID:      -
           Primary User Name:      DC-01$
           Primary Domain:      TEST
           Primary Logon ID:      (0x0,me)
           Client User Name:      me
           Client Domain:      TEST
           Client Logon ID:      (0x0,StillMe)
           Accesses:      Write Property
          Write Property
                Public Information

           Additional Info:      CN=John Doe,CN=Users,DC=test,DC=com
           Additional Info2:      CN=Users,DC=test,DC=com
           Access Mask:      0x20

    I'm lazy so I'd probably throw a little script together to look through the log for me :)


    Featured Post

    Want to promote your upcoming event?

    Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

    Join & Write a Comment

    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now