Solved

Who made the changes on the AD account ?

Posted on 2013-05-30
4
1,853 Views
Last Modified: 2013-05-31
Hi People,

Does anyone know how to identify and look for the history or log entries for the changes on certain AD account attributes ?

For example, I would like to know which user has modified the account expiry dates.
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 39209858
Look at http://support.microsoft.com/kb/947226. It has a full list of audit events. Once you have auditing enabled, you will want to look for in your case event id 4738 which relates to an update made to an account. You will see an event generated in the Windows EventVwr:

Audit Success      31/05/2013 1:54:19 PM      Microsoft Windows security auditing.      4738      User Account Management

In the event details you will see:

A user account was changed.

Subject:
      Security ID:            DOMAIN\ACCOUNT_NAME
      Account Name:            ACCOUNT_NAME
      Account Domain:            DOMAIN
      Logon ID:            0xe97af9fe4

Target Account:
      Security ID:            DOMAIN\USER_NAME
      Account Name:            USER_NAME
      Account Domain:            DOMAIN

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
     Account Expires:            1/07/2013 12:00:00 AM
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -

You can consume these event logs with a product like SCOM, SPLUNK, so so forth. Or if your DC's aren't too busy even a scheduled task or script just querying the event logs. We use SPLUNK and SCOM to do this kind of alerting with a bit of data massage to get the relevant alerts to appear.

The log will be specific to the domain controller the change was made from.

A simple grab of the event with PowerShell would be like so.

Get-WinEvent -FilterHashtable @{logname="Security"; id=4738} -ComputerName ServerName

Open in new window

0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 39210092
Thanks for the reply man, however it returns no message details attributes:

TimeCreated  : 31/05/2013 11:38:22 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4738
Message      :


perhaps I must do that in the DC ?
0
 
LVL 10

Accepted Solution

by:
Prashant Girennavar earned 250 total points
ID: 39210219
Yep , You need to do that on the Domain controller.

However there is a downside of this,

Domain controller do not replicate the any of their Event logs with other DC'S. So you need to have the exact domain controller where user account attribute got modified.

Thanks,

-Prashant Girennavar.
0
 
LVL 8

Author Closing Comment

by:Senior IT System Engineer
ID: 39212208
Thanks !
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question