Solved

Active Directory users deleted - how to find the culprit?

Posted on 2010-09-10
4
762 Views
Last Modified: 2012-05-10
It was discovered yesterday that a few hundred test users we use in our organization were deleted and no one has confessed to doing so, although I am not sure if it was a user who did this or some bad code that someone wrote.

I am relatively new to the inner workings of Active Directory like this, so be kind. I need to know how to track down when the missing users were deleted and who (or what) did it, if this is even possible. I have two Windows 2003 DCs in my environment.

Thanks in advance!
0
Comment
Question by:alan2938
4 Comments
 
LVL 5

Accepted Solution

by:
swap_101982 earned 250 total points
ID: 33647491
You should enable auditing

Auditing is very similar to Performance Monitor, in that it waits for a specific event to occur, and then reports on it within the Event Viewer. Instead of waiting for system performance events, auditing usually tracks the success or failure of system and security events

Auditing is generally turned on through a security policy, which is another part of Group Policy. These security policies are generally accessed through Administrative Tools.

HERE IS WHAT THEY DO

Audit Account Logon Events: Tracks user logon and logoff events.
Audit Account Management: Reports changes to user accounts.
Audit Directory Service Access: Reports access and changes to the directory service. If the system is a member server or XP system, directory service is NTLM-based, and consists of user accounts and group policies.
Audit Logon Events: Reports success/failure of any local or remote access-based logon.
Audit Object Access: Reports file and folder access. Must be implemented here, and then the individual file/folder must be configured for auditing within its properties in order to fully enable this feature.
Audit Policy Change: Reports changes to group policies.
Audit Privilege Use: Related to Audit Object Access: reports when permissions are utilized such as read, or full control.
Audit Process Tracking: Reports process and program failures. Not security related.
Audit System Events: Reports standard system events. Not security related.
If it becomes necessary to audit file or folder access, the audit policy must be changed, and then the file or folder must be flagged for auditing. From that point, items will appear in the Event Viewer. How the file or folder is accessed is also subject to auditing, and must be decided once auditing of the object is enabled. Every type of permission listed earlier in this chapter is available as a type of access, with each type of access capable of being audited if successful or failed.

http://support.microsoft.com/kb/300549 CHECK THIS OUT FOR IDEA
0
 
LVL 11

Assisted Solution

by:Forrest Burris
Forrest Burris earned 250 total points
ID: 33647513
Check out Active Directory Audit by Quest

http://www.quest.com/changeauditor-for-active-directory/

You'll have to sift carefully through your security event log if you want to find the culprit the hard way. Start, run, eventvwr - security
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33648108
So the auditing is right, what you want to look for is event 630 in the security event logs  http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=630
If you want to search multiple DCs a tool like eventcomb can really help, download it here   http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
Thanks
Mike
0
 
LVL 1

Author Comment

by:alan2938
ID: 33648287
Well lucky for me, auditing is already turned on. I found some 630 events that I am looking into. Is there an easy way to the account deletions to a specific user (read: specific IP address) that logged in to do it? I have about 30 people who have access to this machine and log on/off all the time.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now