[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 487
  • Last Modified:

Is this log indicating that a user still exist or was removed?

I am relatively new to log reviews, especially with this software. I do not want to log into the client's DC to check this manually so I thought I would ask here. Is this log indicating that a user still exist or was removed? The password expiration date increases from the top number to the bottom, so should I be reading it from the top down then?

Thank you and sorry if this was a dumb question.


S.No      Data Source      Model      Date & Time      Event
1      config-change      windows      10/24/2011 11:37:53      uid=DC      hostname=**      ip=**      id=SecuritySettings:LocalUsersOptionalInfo      act=changed      removed=Name:USERNAME | FullName:User Name | AccountType:Normal | Account:Enabled | MaxStorage:-1 | MaxPasswordAge:90 | MinPasswordAge:1 | MinPasswordLength:3 | IsAccountLocked:False | IsPasswordChangeable:Yes | PasswordExpirationDate:10/23/2011 10:45:23 AM | PasswordRequired:False | PasswordMinimumLength:3 | LoginScript: | UserFlags:838*** | HomeDirDrive:H: | HomeDirectory:\\**\home\%username% | PrimaryGroupID:513 | Profile: | AdsPath:WinNT://***/USERNAME | Class:User | GUID*** | Parent:WinNT*****| Schema:WinNT://**** | Description:**  User |      added=Name:USERNAME | FullName:User Name | AccountType:Normal | Account:Enabled | MaxStorage:-1 | MaxPasswordAge:90 | MinPasswordAge:1 | MinPasswordLength:3 | IsAccountLocked:False | IsPasswordChangeable:Yes | PasswordExpirationDate:1/22/2012 11:06:49 AM | PasswordRequired:False | PasswordMinimumLength:3 | LoginScript: | UserFlags:545 | HomeDirDrive:R: | HomeDirectory:\\**** | PrimaryGroupID:513 | Profile: | AdsPath:WinNT://***/USERNAME | Class:User | GUID**** | Parent:WinNT://*** | Schema:WinNT://**/Schema/User | Description:**  User |      authorized=-      window=-      riskscore=1.000000            alertrule=New Rule1      group=Client
0
BinBashBalling
Asked:
BinBashBalling
1 Solution
 
arnoldCommented:
removed=Name:USERNAME  means this username was removed.

The problem you masquerading things which effectively makes one assume what it is you are asking.

Where is this log from you have auditing enabled?
0
 
BinBashBallingAuthor Commented:
Thanks, that's all I needed to know. It's from eIQ securevue.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now