Active Directory users deleted - how to find the culprit?

It was discovered yesterday that a few hundred test users we use in our organization were deleted and no one has confessed to doing so, although I am not sure if it was a user who did this or some bad code that someone wrote.

I am relatively new to the inner workings of Active Directory like this, so be kind. I need to know how to track down when the missing users were deleted and who (or what) did it, if this is even possible. I have two Windows 2003 DCs in my environment.

Thanks in advance!
LVL 1
alan2938Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Swapnil PrajapatiSr. System AdministratorCommented:
You should enable auditing

Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events

Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.

HERE IS WHAT THEY DO

Audit Account Logon Events: Tracks user logon and logoff events.
Audit Account Management: Reports changes to user accounts.
Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
Audit Logon Events: Reports success/failure of any local or remote access-based logon.
Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
Audit Policy Change: Reports changes to group policies.
Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
Audit Process Tracking: Reports process and program failures. Not security related.
Audit System Events: Reports standard system events. Not security related.
If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed.

http://support.microsoft.com/kb/300549 CHECK THIS OUT FOR IDEA
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Forrest BurrisCommented:
Check out Active Directory Audit by Quest

http://www.quest.com/changeauditor-for-active-directory/

You'll have to sift carefully through your security event log if you want to find the culprit the hard way. Start, run, eventvwr - security
0
Mike KlineCommented:
So the auditing is right, what you want to look for is event 630 in the security event logs  http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=630
If you want to search multiple DCs a tool like eventcomb can really help, download it here   http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
Thanks
Mike
0
alan2938Author Commented:
Well lucky for me, auditing is already turned on. I found some 630 events that I am looking into. Is there an easy way to the account deletions to a specific user (read: specific IP address) that logged in to do it? I have about 30 people who have access to this machine and log on/off all the time.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.