Can i see who changed a user account

Posted on 2011-09-06
Last Modified: 2012-08-14
I have a user account in my AD that was changed 5 days ago - can I somehow see who made the change?
Question by:happyhenrik

Accepted Solution

CWCertus1 earned 200 total points
Comment Utility
If you have auditing enabled, it would be in the security log of the DC that it was changed on. Otherwise I'm afraid not.

Assisted Solution

jeff_01 earned 100 total points
Comment Utility
Agree with CWCertus1, you need to have set active directory auditing to be able to see that.

LVL 11

Assisted Solution

by:Sanjay Santoki
Sanjay Santoki earned 100 total points
Comment Utility

To log account management event in event viewer, account management audit should be enabled from the audit policy. Once it is enabled you will have an even in security event log with category of Account Management.

Sanjay Santoki
Byte Technosys
LVL 17

Assisted Solution

by:Premkumar Yogeswaran
Premkumar Yogeswaran earned 100 total points
Comment Utility

you can use the audit log for the changes done in AD.

Other suggestion,
You can go for the third party tool
Quest Change Auditor.

This the tool we use for audit purpose... it works good for changes made in the object.


Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.


Author Comment

Comment Utility
Auditing is enabled but the security log does only go back 5 minutes... Might need to look into that :)
LVL 37

Expert Comment

by:Neil Russell
Comment Utility

Author Comment

Comment Utility
Yeah... we have a consultant coming on friday who will help adjusting the logging :-)
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You can start preparing for the consultants visit

look at the settings for your event logs  

\Computer Configuration\Windows Settings\Security Settings\Event Log\

I'm guessing it is a combination of having too much logging and the log filling up too fast.  Let us know how it goes.



Author Comment

Comment Utility
My consultant changed the logging friday morning, and now my security log goes back to friday \o/.

Later today we will adjust our SCOM monitoring to alert me when a user is changed.

Thx for your feedback - I will try to split the points :-)

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now