?
Solved

find out who deleted a group in AD (2008)

Posted on 2011-02-18
8
Medium Priority
?
998 Views
Last Modified: 2012-05-11
I have the basic auditing on our Domain Controller running server 2008. Someone deleted a couple of groups and I need to find out who.

How can I find out who removed those groups in Active Directory?
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
8 Comments
 
LVL 14

Assisted Solution

by:athomsfere
athomsfere earned 1000 total points
ID: 34926970
You have to have the auditing enabled when the object is changed, do you know if you have done this?

http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927061
they're all listed as 'not defined' so I guess they haven't been turned on.

Is the one for "Audit directory service access" the one that will show deletions and where does it show up in then event logs?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927103
okay, I think I found it.

I think it's the "Audit Account Management" one but it says the default is to log success on Domain Controllers so that means if someone deleted the account I should have a success audit saying so
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 34927162
Yes if you have auditing configured then you will see that event telling you the group was deleted.  More info on the events here:

http://technet.microsoft.com/en-us/library/cc737542(WS.10).aspx

I can take a screenshot later this weekend from my lab if that helps

thanks

Mike
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927314
yeah, if I knew which part of the tree it's showing up in that would be good so a picture might help. :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34927337
It would be in the security log on the DC.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927352
okay, that's the one I'm looking through now
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927357
thanks for the help
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question