Active Directory users deleted - how to find the culprit?

It was discovered yesterday that a few hundred test users we use in our organization were deleted and no one has confessed to doing so, although I am not sure if it was a user who did this or some bad code that someone wrote.

I am relatively new to the inner workings of Active Directory like this, so be kind. I need to know how to track down when the missing users were deleted and who (or what) did it, if this is even possible. I have two Windows 2003 DCs in my environment.

Thanks in advance!
LVL 1
alan2938Asked:
Who is Participating?
 
Swapnil PrajapatiConnect With a Mentor Sr. System AdministratorCommented:
You should enable auditing

Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events

Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.

HERE IS WHAT THEY DO

Audit Account Logon Events: Tracks user logon and logoff events.
Audit Account Management: Reports changes to user accounts.
Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
Audit Logon Events: Reports success/failure of any local or remote access-based logon.
Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
Audit Policy Change: Reports changes to group policies.
Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
Audit Process Tracking: Reports process and program failures. Not security related.
Audit System Events: Reports standard system events. Not security related.
If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed.

http://support.microsoft.com/kb/300549 CHECK THIS OUT FOR IDEA
0
 
Forrest BurrisConnect With a Mentor Commented:
Check out Active Directory Audit by Quest

http://www.quest.com/changeauditor-for-active-directory/

You'll have to sift carefully through your security event log if you want to find the culprit the hard way. Start, run, eventvwr - security
0
 
Mike KlineCommented:
So the auditing is right, what you want to look for is event 630 in the security event logs  http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=630
If you want to search multiple DCs a tool like eventcomb can really help, download it here   http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
Thanks
Mike
0
 
alan2938Author Commented:
Well lucky for me, auditing is already turned on. I found some 630 events that I am looking into. Is there an easy way to the account deletions to a specific user (read: specific IP address) that logged in to do it? I have about 30 people who have access to this machine and log on/off all the time.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.