Solved

Who made the changes on the AD account ?

Posted on 2013-05-30
4
1,461 Views
Last Modified: 2013-05-31
Hi People,

Does anyone know how to identify and look for the history or log entries for the changes on certain AD account attributes ?

For example, I would like to know which user has modified the account expiry dates.
0
Comment
  • 2
4 Comments
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 39209858
Look at http://support.microsoft.com/kb/947226. It has a full list of audit events. Once you have auditing enabled, you will want to look for in your case event id 4738 which relates to an update made to an account. You will see an event generated in the Windows EventVwr:

Audit Success      31/05/2013 1:54:19 PM      Microsoft Windows security auditing.      4738      User Account Management

In the event details you will see:

A user account was changed.

Subject:
      Security ID:            DOMAIN\ACCOUNT_NAME
      Account Name:            ACCOUNT_NAME
      Account Domain:            DOMAIN
      Logon ID:            0xe97af9fe4

Target Account:
      Security ID:            DOMAIN\USER_NAME
      Account Name:            USER_NAME
      Account Domain:            DOMAIN

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
     Account Expires:            1/07/2013 12:00:00 AM
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -

You can consume these event logs with a product like SCOM, SPLUNK, so so forth. Or if your DC's aren't too busy even a scheduled task or script just querying the event logs. We use SPLUNK and SCOM to do this kind of alerting with a bit of data massage to get the relevant alerts to appear.

The log will be specific to the domain controller the change was made from.

A simple grab of the event with PowerShell would be like so.

Get-WinEvent -FilterHashtable @{logname="Security"; id=4738} -ComputerName ServerName

Open in new window

0
 
LVL 7

Author Comment

by:Senior IT System Engineer
ID: 39210092
Thanks for the reply man, however it returns no message details attributes:

TimeCreated  : 31/05/2013 11:38:22 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4738
Message      :


perhaps I must do that in the DC ?
0
 
LVL 10

Accepted Solution

by:
Prashant Girennavar earned 250 total points
ID: 39210219
Yep , You need to do that on the Domain controller.

However there is a downside of this,

Domain controller do not replicate the any of their Event logs with other DC'S. So you need to have the exact domain controller where user account attribute got modified.

Thanks,

-Prashant Girennavar.
0
 
LVL 7

Author Closing Comment

by:Senior IT System Engineer
ID: 39212208
Thanks !
0

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now