• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 491
  • Last Modified:

Is this log indicating that a user still exist or was removed?

I am relatively new to log reviews, especially with this software. I do not want to log into the client's DC to check this manually so I thought I would ask here. Is this log indicating that a user still exist or was removed? The password expiration date increases from the top number to the bottom, so should I be reading it from the top down then?

Thank you and sorry if this was a dumb question.


S.No      Data Source      Model      Date & Time      Event
1      config-change      windows      10/24/2011 11:37:53      uid=DC      hostname=**      ip=**      id=SecuritySettings:LocalUsersOptionalInfo      act=changed      removed=Name:USERNAME | FullName:User Name | AccountType:Normal | Account:Enabled | MaxStorage:-1 | MaxPasswordAge:90 | MinPasswordAge:1 | MinPasswordLength:3 | IsAccountLocked:False | IsPasswordChangeable:Yes | PasswordExpirationDate:10/23/2011 10:45:23 AM | PasswordRequired:False | PasswordMinimumLength:3 | LoginScript: | UserFlags:838*** | HomeDirDrive:H: | HomeDirectory:\\**\home\%username% | PrimaryGroupID:513 | Profile: | AdsPath:WinNT://***/USERNAME | Class:User | GUID*** | Parent:WinNT*****| Schema:WinNT://**** | Description:**  User |      added=Name:USERNAME | FullName:User Name | AccountType:Normal | Account:Enabled | MaxStorage:-1 | MaxPasswordAge:90 | MinPasswordAge:1 | MinPasswordLength:3 | IsAccountLocked:False | IsPasswordChangeable:Yes | PasswordExpirationDate:1/22/2012 11:06:49 AM | PasswordRequired:False | PasswordMinimumLength:3 | LoginScript: | UserFlags:545 | HomeDirDrive:R: | HomeDirectory:\\**** | PrimaryGroupID:513 | Profile: | AdsPath:WinNT://***/USERNAME | Class:User | GUID**** | Parent:WinNT://*** | Schema:WinNT://**/Schema/User | Description:**  User |      authorized=-      window=-      riskscore=1.000000            alertrule=New Rule1      group=Client
0
BinBashBalling
Asked:
BinBashBalling
1 Solution
 
arnoldCommented:
removed=Name:USERNAME  means this username was removed.

The problem you masquerading things which effectively makes one assume what it is you are asking.

Where is this log from you have auditing enabled?
0
 
BinBashBallingAuthor Commented:
Thanks, that's all I needed to know. It's from eIQ securevue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now