Can i see who changed a user account

Posted on 2011-09-06
Medium Priority
Last Modified: 2012-08-14
I have a user account in my AD that was changed 5 days ago - can I somehow see who made the change?
Question by:happyhenrik
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

CWCertus1 earned 800 total points
ID: 36487041
If you have auditing enabled, it would be in the security log of the DC that it was changed on. Otherwise I'm afraid not.

Assisted Solution

jeff_01 earned 400 total points
ID: 36487059
Agree with CWCertus1, you need to have set active directory auditing to be able to see that.

LVL 11

Assisted Solution

by:Sanjay Santoki
Sanjay Santoki earned 400 total points
ID: 36487087

To log account management event in event viewer, account management audit should be enabled from the audit policy. Once it is enabled you will have an even in security event log with category of Account Management.

Sanjay Santoki
Byte Technosys
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

LVL 17

Assisted Solution

by:Premkumar Yogeswaran
Premkumar Yogeswaran earned 400 total points
ID: 36487122

you can use the audit log for the changes done in AD.

Other suggestion,
You can go for the third party tool
Quest Change Auditor.

This the tool we use for audit purpose... it works good for changes made in the object.



Author Comment

ID: 36487151
Auditing is enabled but the security log does only go back 5 minutes... Might need to look into that :)
LVL 37

Expert Comment

by:Neil Russell
ID: 36487396

Author Comment

ID: 36487449
Yeah... we have a consultant coming on friday who will help adjusting the logging :-)
LVL 57

Expert Comment

by:Mike Kline
ID: 36488806
You can start preparing for the consultants visit

look at the settings for your event logs  

\Computer Configuration\Windows Settings\Security Settings\Event Log\


I'm guessing it is a combination of having too much logging and the log filling up too fast.  Let us know how it goes.



Author Comment

ID: 36521056
My consultant changed the logging friday morning, and now my security log goes back to friday \o/.

Later today we will adjust our SCOM monitoring to alert me when a user is changed.

Thx for your feedback - I will try to split the points :-)

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question