Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Active Directory users deleted - how to find the culprit?

Posted on 2010-09-10
4
Medium Priority
?
770 Views
Last Modified: 2012-05-10
It was discovered yesterday that a few hundred test users we use in our organization were deleted and no one has confessed to doing so, although I am not sure if it was a user who did this or some bad code that someone wrote.

I am relatively new to the inner workings of Active Directory like this, so be kind. I need to know how to track down when the missing users were deleted and who (or what) did it, if this is even possible. I have two Windows 2003 DCs in my environment.

Thanks in advance!
0
Comment
Question by:alan2938
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 5

Accepted Solution

by:
Swapnil Prajapati earned 1000 total points
ID: 33647491
You should enable auditing

Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events

Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.

HERE IS WHAT THEY DO

Audit Account Logon Events: Tracks user logon and logoff events.
Audit Account Management: Reports changes to user accounts.
Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
Audit Logon Events: Reports success/failure of any local or remote access-based logon.
Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
Audit Policy Change: Reports changes to group policies.
Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
Audit Process Tracking: Reports process and program failures. Not security related.
Audit System Events: Reports standard system events. Not security related.
If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed.

http://support.microsoft.com/kb/300549 CHECK THIS OUT FOR IDEA
0
 
LVL 11

Assisted Solution

by:Forrest Burris
Forrest Burris earned 1000 total points
ID: 33647513
Check out Active Directory Audit by Quest

http://www.quest.com/changeauditor-for-active-directory/

You'll have to sift carefully through your security event log if you want to find the culprit the hard way. Start, run, eventvwr - security
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33648108
So the auditing is right, what you want to look for is event 630 in the security event logs  http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=630
If you want to search multiple DCs a tool like eventcomb can really help, download it here   http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:alan2938
ID: 33648287
Well lucky for me, auditing is already turned on. I found some 630 events that I am looking into. Is there an easy way to the account deletions to a specific user (read: specific IP address) that logged in to do it? I have about 30 people who have access to this machine and log on/off all the time.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question