Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

Can i see who changed a user account

I have a user account in my AD that was changed 5 days ago - can I somehow see who made the change?
0
happyhenrik
Asked:
happyhenrik
4 Solutions
 
CWCertus1Commented:
If you have auditing enabled, it would be in the security log of the DC that it was changed on. Otherwise I'm afraid not.
0
 
jeff_01Commented:
Agree with CWCertus1, you need to have set active directory auditing to be able to see that.



0
 
Sanjay SantokiCommented:
Hello,

To log account management event in event viewer, account management audit should be enabled from the audit policy. Once it is enabled you will have an even in security event log with category of Account Management.

Thanks,
Sanjay Santoki
Byte Technosys
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
Premkumar YogeswaranCommented:
Hi,

you can use the audit log for the changes done in AD.

Other suggestion,
You can go for the third party tool
Quest Change Auditor.

This the tool we use for audit purpose... it works good for changes made in the object.

Regards,
Prem


0
 
happyhenrikAuthor Commented:
Auditing is enabled but the security log does only go back 5 minutes... Might need to look into that :)
0
 
Neil RussellTechnical Development LeadCommented:
Ouch!
0
 
happyhenrikAuthor Commented:
Yeah... we have a consultant coming on friday who will help adjusting the logging :-)
0
 
Mike KlineCommented:
You can start preparing for the consultants visit

look at the settings for your event logs  

\Computer Configuration\Windows Settings\Security Settings\Event Log\

http://technet.microsoft.com/en-us/library/cc778402(WS.10).aspx

I'm guessing it is a combination of having too much logging and the log filling up too fast.  Let us know how it goes.


Thanks

Mike
0
 
happyhenrikAuthor Commented:
My consultant changed the logging friday morning, and now my security log goes back to friday \o/.

Later today we will adjust our SCOM monitoring to alert me when a user is changed.

Thx for your feedback - I will try to split the points :-)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now