Solved

Finding who disabled account

Posted on 2010-11-23
16
848 Views
Last Modified: 2012-05-10
Hi,

A user account was disabled today, I want to find out, when, why this was done and who did it. She was logged in today in the morning. Could it be done automatically by Windows?

We're in a SBS2003 environment.

Thanks
0
Comment
Question by:m2chaudh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +4
16 Comments
 
LVL 2

Expert Comment

by:men7s
ID: 34200445
yes this is possible due to account lockout which will disable the account if the failed logon attempts threshold limit has been reached.
there is no way directly to find out who disabled it if that was the case.
But you can look at the security logs and see who logged in around that time or was already logged on then.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34200457
You have to have enabled auditing, check the auditing policy for the DCs


Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policy

For account access like passwords and accounts being disabled look to see if "Audit Account Management" is set to Success.

If it is or if it is not once you set it then you will look through your security logs for event 629  http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=629

You will be looking at the security event log on that DC.

Thanks

Mike
0
 
LVL 2

Expert Comment

by:men7s
ID: 34200459
run eventvwr.msc and look at the security logs
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 2

Expert Comment

by:men7s
ID: 34200471
http://www.windowsecurity.com/articles/Logon-Types.html

use the link above with the security log and you will find out who had physical access to the server at tht time.
0
 
LVL 10

Expert Comment

by:moon_blue69
ID: 34200475
Here is a sample of event for disabling account.

Caller is the person who disabled it.
event id 629

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=629&EvtSrc=Security&LCID=1033

User Account Changed:
  Account Disabled.
  Target Account Name: Bill
  Target Domain: MS0
  Target Account ID: S-1-5-21-1234561642-8123456618-725345543-1008
  Caller User Name: Administrator
  Caller Domain: ACME
  Caller Logon ID: (0x0,0xD44E)
  Privileges: -
 
0
 
LVL 7

Expert Comment

by:Rommel Sultan
ID: 34200476
Check the Event viewer.
It should register in Security Log

Sample log
User Account Disabled:
       Target Account Name:      Guest
       Target Domain:      C686724
       Target Account ID:      C686724\Guest
       Caller User Name:      rsultan
       Caller Domain:      COC
       Caller Logon ID:      (0x0,0x1DC49)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:m2chaudh
ID: 34200537
I want to find out why it was disabled, and who disabled the account in AD. The security audits only show me, this :

Logon Failure:
       Reason:            Account currently disabled
       User Name:      llex
       Domain:            PACSRV
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      KAKABEKA07
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID:      -
       Transited Services:      -
       Source Network Address:      192.168.45.18
       Source Port:      1937

If you see the reason field for login failure, it says Account disabled, she didnt have failure logins before this happened. She was logged in this morning. So account was disabled by someone or the Server did it, I want to know what time server or someone disabled her account.
0
 

Author Comment

by:m2chaudh
ID: 34200546
Btw I have enabled her account now, I just want to know, why this happened in the first place. Thanks!
0
 
LVL 2

Assisted Solution

by:men7s
men7s earned 166 total points
ID: 34200574
the answer will be in the security logs where you were, between this and when she last was logged on, like i said look at the logon types and you will be able to work it out.
Because you are on SBS if you go to server management window then select monitoring i think and scroll to the bottom it should also show you failed logon attempts so then that will rule out account lockout
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 167 total points
ID: 34200627
By default I believe only Logons and Logoffs are logged in the Security Log (at least that's the case on my Server 2003 system, I can't speak to SBS).  If Account Management logging was turned off at the time your user's account disabled, then that action would not have been logged.

What might help is look and see who else (especially those users with access to modify an account) logged onto the server at about the same time your users account became disabled.
0
 

Author Comment

by:m2chaudh
ID: 34200731
That was a good idea tgerbert, but it will be hard to say. I've to see, which workstation user was logged on to, and time nd sorting through all the audit entries between this morning and now, is just tedious.

men7s, there has been no failure due to wrong pwd or as such, the account was disabled, thats why it failed logins if at all (thats the reason I see for all failed logins by that person, account disabled). Last time she logged in succesfully was in the morning.

Is there a easier way to find out, or I have to dig through success/fail audits, see who logged on to server during specific time perioid (all day today) etc..
0
 
LVL 2

Expert Comment

by:men7s
ID: 34200753
unless you set other auditing options or third party software to monitor, then you are left with these logs to trail through im afraid.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34200766
You can search through the event logs for specific events, if auditing was on just search/filter for the 629 events

Thanks

Mike
0
 
LVL 33

Expert Comment

by:Todd Gerbert
ID: 34200791
UNLESS your audit policy was [i]already[/i] set to log such events, I'm afraid your only recourse will be to wade through the logs and hope to see some events that correspond. You probably would have better luck just asking your admins. ;)
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 167 total points
ID: 34201563
A "Logon Type: 3" tells you this was locked out due to attempted internal access, as opposed to through external access using Remote Web Workplace or Remote desktop.
"Source Network Address:      192.168.45.18
" tells you from what IP. If this is the IP of the workstation it means either someone at the console tried to logon multiple times unsuccessfully, or a service such as a mapped drive tried to connect.
This is often caused by someone mapping a drive using different credentials and the password expiring.
0
 

Author Closing Comment

by:m2chaudh
ID: 34207024
Thanks for all your help. I think this would require a lot of cross-examination. I was hoping ti wasnt a security breach and as Rob mentioned, it was internal, and we have limited admin access to fewer users in company now.

Thanks for prompt replies!
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question