Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD User Creation/Modifying logging

Posted on 2010-11-30
3
Medium Priority
?
573 Views
Last Modified: 2012-05-10
I just found a user account added to the Domain Admins domain group. Is there a way to find out when or who added this account to the Domain Admins group?

Using Windows Server 2003 AD.

0
Comment
Question by:OdyChris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Accepted Solution

by:
GWNet-working earned 668 total points
ID: 34238526
If you have auditing enabled you may be able to find out who added them using the security log.
0
 
LVL 9

Assisted Solution

by:losip
losip earned 668 total points
ID: 34239027
Yes, look for event ID: 632 in the Security log which is for members being added to a global group.  Also look for event ID: 612 which is a change to the vents that are audited, in case the perpetrator stopped auditing, then added the user to the Domain Admins.

Please say you have auditing enabled!
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 664 total points
ID: 34239037
If you do have auditing enabled look for event 632 in the security logs, more information and screenshots in a previous question I helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24687104.html

The one thing you do know is that it has to be someone with elevated rights (another domain admin) or someone that has been delegated the right to add members to the DA group.

Thanks

Mike
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question