Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Who made the changes on the AD account ?

Posted on 2013-05-30
4
1,646 Views
Last Modified: 2013-05-31
Hi People,

Does anyone know how to identify and look for the history or log entries for the changes on certain AD account attributes ?

For example, I would like to know which user has modified the account expiry dates.
0
Comment
  • 2
4 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 39209858
Look at http://support.microsoft.com/kb/947226. It has a full list of audit events. Once you have auditing enabled, you will want to look for in your case event id 4738 which relates to an update made to an account. You will see an event generated in the Windows EventVwr:

Audit Success      31/05/2013 1:54:19 PM      Microsoft Windows security auditing.      4738      User Account Management

In the event details you will see:

A user account was changed.

Subject:
      Security ID:            DOMAIN\ACCOUNT_NAME
      Account Name:            ACCOUNT_NAME
      Account Domain:            DOMAIN
      Logon ID:            0xe97af9fe4

Target Account:
      Security ID:            DOMAIN\USER_NAME
      Account Name:            USER_NAME
      Account Domain:            DOMAIN

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
     Account Expires:            1/07/2013 12:00:00 AM
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -

You can consume these event logs with a product like SCOM, SPLUNK, so so forth. Or if your DC's aren't too busy even a scheduled task or script just querying the event logs. We use SPLUNK and SCOM to do this kind of alerting with a bit of data massage to get the relevant alerts to appear.

The log will be specific to the domain controller the change was made from.

A simple grab of the event with PowerShell would be like so.

Get-WinEvent -FilterHashtable @{logname="Security"; id=4738} -ComputerName ServerName

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 39210092
Thanks for the reply man, however it returns no message details attributes:

TimeCreated  : 31/05/2013 11:38:22 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4738
Message      :


perhaps I must do that in the DC ?
0
 
LVL 10

Accepted Solution

by:
Prashant Girennavar earned 250 total points
ID: 39210219
Yep , You need to do that on the Domain controller.

However there is a downside of this,

Domain controller do not replicate the any of their Event logs with other DC'S. So you need to have the exact domain controller where user account attribute got modified.

Thanks,

-Prashant Girennavar.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 39212208
Thanks !
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question