• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2567
  • Last Modified:

Who made the changes on the AD account ?

Hi People,

Does anyone know how to identify and look for the history or log entries for the changes on certain AD account attributes ?

For example, I would like to know which user has modified the account expiry dates.
0
Senior IT System Engineer
Asked:
Senior IT System Engineer
  • 2
2 Solutions
 
LearnctxEngineerCommented:
Look at http://support.microsoft.com/kb/947226. It has a full list of audit events. Once you have auditing enabled, you will want to look for in your case event id 4738 which relates to an update made to an account. You will see an event generated in the Windows EventVwr:

Audit Success      31/05/2013 1:54:19 PM      Microsoft Windows security auditing.      4738      User Account Management

In the event details you will see:

A user account was changed.

Subject:
      Security ID:            DOMAIN\ACCOUNT_NAME
      Account Name:            ACCOUNT_NAME
      Account Domain:            DOMAIN
      Logon ID:            0xe97af9fe4

Target Account:
      Security ID:            DOMAIN\USER_NAME
      Account Name:            USER_NAME
      Account Domain:            DOMAIN

Changed Attributes:
      SAM Account Name:      -
      Display Name:            -
      User Principal Name:      -
      Home Directory:            -
      Home Drive:            -
      Script Path:            -
      Profile Path:            -
      User Workstations:      -
      Password Last Set:      -
     Account Expires:            1/07/2013 12:00:00 AM
      Primary Group ID:      -
      AllowedToDelegateTo:      -
      Old UAC Value:            -
      New UAC Value:            -
      User Account Control:      -
      User Parameters:      -
      SID History:            -
      Logon Hours:            -

Additional Information:
      Privileges:            -

You can consume these event logs with a product like SCOM, SPLUNK, so so forth. Or if your DC's aren't too busy even a scheduled task or script just querying the event logs. We use SPLUNK and SCOM to do this kind of alerting with a bit of data massage to get the relevant alerts to appear.

The log will be specific to the domain controller the change was made from.

A simple grab of the event with PowerShell would be like so.

Get-WinEvent -FilterHashtable @{logname="Security"; id=4738} -ComputerName ServerName

Open in new window

0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks for the reply man, however it returns no message details attributes:

TimeCreated  : 31/05/2013 11:38:22 AM
ProviderName : Microsoft-Windows-Security-Auditing
Id           : 4738
Message      :


perhaps I must do that in the DC ?
0
 
Prashant GirennavarCommented:
Yep , You need to do that on the Domain controller.

However there is a downside of this,

Domain controller do not replicate the any of their Event logs with other DC'S. So you need to have the exact domain controller where user account attribute got modified.

Thanks,

-Prashant Girennavar.
0
 
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now