?
Solved

AD User Creation/Modifying logging

Posted on 2010-11-30
3
Medium Priority
?
574 Views
Last Modified: 2012-05-10
I just found a user account added to the Domain Admins domain group. Is there a way to find out when or who added this account to the Domain Admins group?

Using Windows Server 2003 AD.

0
Comment
Question by:OdyChris
3 Comments
 
LVL 4

Accepted Solution

by:
GWNet-working earned 668 total points
ID: 34238526
If you have auditing enabled you may be able to find out who added them using the security log.
0
 
LVL 9

Assisted Solution

by:losip
losip earned 668 total points
ID: 34239027
Yes, look for event ID: 632 in the Security log which is for members being added to a global group.  Also look for event ID: 612 which is a change to the vents that are audited, in case the perpetrator stopped auditing, then added the user to the Domain Admins.

Please say you have auditing enabled!
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 664 total points
ID: 34239037
If you do have auditing enabled look for event 632 in the security logs, more information and screenshots in a previous question I helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24687104.html

The one thing you do know is that it has to be someone with elevated rights (another domain admin) or someone that has been delegated the right to add members to the DA group.

Thanks

Mike
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question