Solved

Active Directory users deleted - how to find the culprit?

Posted on 2010-09-10
4
768 Views
Last Modified: 2012-05-10
It was discovered yesterday that a few hundred test users we use in our organization were deleted and no one has confessed to doing so, although I am not sure if it was a user who did this or some bad code that someone wrote.

I am relatively new to the inner workings of Active Directory like this, so be kind. I need to know how to track down when the missing users were deleted and who (or what) did it, if this is even possible. I have two Windows 2003 DCs in my environment.

Thanks in advance!
0
Comment
Question by:alan2938
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 5

Accepted Solution

by:
Swapnil Prajapati earned 250 total points
ID: 33647491
You should enable auditing

Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events

Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.

HERE IS WHAT THEY DO

Audit Account Logon Events: Tracks user logon and logoff events.
Audit Account Management: Reports changes to user accounts.
Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
Audit Logon Events: Reports success/failure of any local or remote access-based logon.
Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
Audit Policy Change: Reports changes to group policies.
Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
Audit Process Tracking: Reports process and program failures. Not security related.
Audit System Events: Reports standard system events. Not security related.
If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed.

http://support.microsoft.com/kb/300549 CHECK THIS OUT FOR IDEA
0
 
LVL 11

Assisted Solution

by:Forrest Burris
Forrest Burris earned 250 total points
ID: 33647513
Check out Active Directory Audit by Quest

http://www.quest.com/changeauditor-for-active-directory/

You'll have to sift carefully through your security event log if you want to find the culprit the hard way. Start, run, eventvwr - security
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33648108
So the auditing is right, what you want to look for is event 630 in the security event logs  http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=630
If you want to search multiple DCs a tool like eventcomb can really help, download it here   http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:alan2938
ID: 33648287
Well lucky for me, auditing is already turned on. I found some 630 events that I am looking into. Is there an easy way to the account deletions to a specific user (read: specific IP address) that logged in to do it? I have about 30 people who have access to this machine and log on/off all the time.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question