Solved

Who made the changes on the AD account ?

Posted on 2013-05-30
4
1,603 Views
Last Modified: 2013-05-31
Hi People,

Does anyone know how to identify and look for the history or log entries for the changes on certain AD account attributes ?

For example, I would like to know which user has modified the account expiry dates.
0
Comment
  • 2
4 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 39209858
Look at http://support.microsoft.com/kb/947226. It has a full list of audit events. Once you have auditing enabled, you will want to look for in your case event id 4738 which relates to an update made to an account. You will see an event generated in the Windows EventVwr:

Audit Success      31/05/2013 1:54:19 PM      Microsoft Windows security auditing.      4738      User Account Management

In the event details you will see:

A user account was changed.

Subject:
      Security ID:            DOMAIN\ACCOUNT_NAME
      Account Name:            ACCOUNT_NAME
      Account Domain:            DOMAIN
      Logon ID:            0xe97af9fe4

Target Account:
      Security ID:            DOMAIN\USER_NAME
      Account Name:            USER_NAME
      Account Domain:            DOMAIN

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
     Account Expires:            1/07/2013 12:00:00 AM
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -

You can consume these event logs with a product like SCOM, SPLUNK, so so forth. Or if your DC's aren't too busy even a scheduled task or script just querying the event logs. We use SPLUNK and SCOM to do this kind of alerting with a bit of data massage to get the relevant alerts to appear.

The log will be specific to the domain controller the change was made from.

A simple grab of the event with PowerShell would be like so.

Get-WinEvent -FilterHashtable @{logname="Security"; id=4738} -ComputerName ServerName

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 39210092
Thanks for the reply man, however it returns no message details attributes:

TimeCreated  : 31/05/2013 11:38:22 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4738
Message      :


perhaps I must do that in the DC ?
0
 
LVL 10

Accepted Solution

by:
Prashant Girennavar earned 250 total points
ID: 39210219
Yep , You need to do that on the Domain controller.

However there is a downside of this,

Domain controller do not replicate the any of their Event logs with other DC'S. So you need to have the exact domain controller where user account attribute got modified.

Thanks,

-Prashant Girennavar.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 39212208
Thanks !
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question