?
Solved

How to find a change of data in AD?

Posted on 2013-06-26
16
Medium Priority
?
285 Views
Last Modified: 2014-07-31
A user has been given full admin rights!
Is there a way of finding out when this group was added to the user account?

Thanks
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
16 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 39277306
which group?
do u mean when user were added to specific group?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277307
domain admins
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277308
yes
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 11

Accepted Solution

by:
mcnute earned 500 total points
ID: 39277309
You may not find out anymore, but you can in the future by modifying the logging properties of AD.
http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 1000 total points
ID: 39277322
for future auditing, u need to enable auditing for account management and check the event viewer
on the DC's for event id:
632 (add global group)
636 (add local group)
currently, You can see the last modification of the useraccount on the "Object" tab.
from http://www.winvistatips.com/define-date-user-has-been-added-ad-group-t708268.html
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277332
enable auditing for account mgt.  - is this the same as mcnute has said?
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 1000 total points
ID: 39277423
yes kinda, u need to go and configure which audit properties you are interested in.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277442
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 500 total points
ID: 39277554
Hi,

You can very well find who/when its been added.

You need to have follow the below steps,

step1:Use the command to get the DN path, dsquery user -name "logonid"

Need to replace logonid with actual userID. Now you'll get the DN Path of the account then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt

Navigate to c->temp & check for "meta.txt" open it & search the list of changes happened in the object. In that you'll get DC name in which the action of providing "full admin rights"  is performed. Search the security log's you'll came to know the ID who performed that activity.
0
 
LVL 2

Expert Comment

by:titan123
ID: 39277985
Is the auditing enabled ...???

If yes you can check at the logs.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39278014
It looks like (as per my link) its already been set, but i cannot find any records in the event logs...
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 39289465
Hi,

Have you followed the steps which i have given above..,
0
 
LVL 2

Expert Comment

by:titan123
ID: 39289653
If you are unable to find at the events logs at this case it is very impossible to say that this can be execute or not. Just for this case it is like if you would be using a third party applications also at that moment of case also this is bit impossible as they also can configure your ad auditing as you will go along with your Auditing Started.

If you want you can check out various auditing tools that are available but still there would be a compliance in the reports.

Thanks.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39289654
@  vin_shooter - yes.
@ titan - ?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39317110
Never got there in the end..
Oh well
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question