Solved

find out who deleted a group in AD (2008)

Posted on 2011-02-18
8
990 Views
Last Modified: 2012-05-11
I have the basic auditing on our Domain Controller running server 2008. Someone deleted a couple of groups and I need to find out who.

How can I find out who removed those groups in Active Directory?
0
Comment
Question by:willlandymore
  • 5
  • 2
8 Comments
 
LVL 14

Assisted Solution

by:athomsfere
athomsfere earned 250 total points
ID: 34926970
You have to have the auditing enabled when the object is changed, do you know if you have done this?

http://technet.microsoft.com/en-us/library/cc731607%28WS.10%29.aspx
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927061
they're all listed as 'not defined' so I guess they haven't been turned on.

Is the one for "Audit directory service access" the one that will show deletions and where does it show up in then event logs?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927103
okay, I think I found it.

I think it's the "Audit Account Management" one but it says the default is to log success on Domain Controllers so that means if someone deleted the account I should have a success audit saying so
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 34927162
Yes if you have auditing configured then you will see that event telling you the group was deleted.  More info on the events here:

http://technet.microsoft.com/en-us/library/cc737542(WS.10).aspx

I can take a screenshot later this weekend from my lab if that helps

thanks

Mike
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:willlandymore
ID: 34927314
yeah, if I knew which part of the tree it's showing up in that would be good so a picture might help. :)
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34927337
It would be in the security log on the DC.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927352
okay, that's the one I'm looking through now
0
 
LVL 1

Author Comment

by:willlandymore
ID: 34927357
thanks for the help
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now