?
Solved

Active Directory Witch Hunt!

Posted on 2009-05-01
5
Medium Priority
?
292 Views
Last Modified: 2012-05-06
Someone moved one of my OU's earlier today, I need to know who did it!

Are there any audit logs for Active Directory?

Where Do I find them?
0
Comment
Question by:McExp
  • 3
  • 2
5 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24279348

Only if you enabled Auditing and set up audit ACLs on your directory structure. They get logged to the Security Log if you did.

I'm afraid there's nothing in place by default.

Chris
0
 
LVL 16

Author Comment

by:McExp
ID: 24279473
We've usually got most auditing on, which security log do I go and check?

Will it be on all DC's?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 24279524

It will be spread across each of your DCs. It depends which one the user was connected to when making the change. Lots of them?

Chris
0
 
LVL 16

Author Comment

by:McExp
ID: 24279841
We have Auditing turned on. What event number should I be looking for?
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 24279940

Okay, Event ID 566.

Do bear in mind that just having the policy enabled isn't enough. You need a System Access Control List set to tell it what events it should audit.

Doesn't hurt to look though.

A move would have a number of Events associated with it. The text looks vaguely like this (made it generate one in my test domain):

Object Operation:
       Object Server:      DS
       Operation Type:      Object Access
       Object Type:      user
       Object Name:      CN=John Doe,CN=Users,DC=test,DC=com
       Handle ID:      -
       Primary User Name:      DC-01$
       Primary Domain:      TEST
       Primary Logon ID:      (0x0,me)
       Client User Name:      me
       Client Domain:      TEST
       Client Logon ID:      (0x0,StillMe)
       Accesses:      Write Property
                  
       Properties:
      Write Property
            Public Information
                  name
                  cn
      user

       Additional Info:      CN=John Doe,CN=Users,DC=test,DC=com
       Additional Info2:      CN=Users,DC=test,DC=com
       Access Mask:      0x20

I'm lazy so I'd probably throw a little script together to look through the log for me :)

Chris
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question