Solved

How to find a change of data in AD?

Posted on 2013-06-26
16
283 Views
Last Modified: 2014-07-31
A user has been given full admin rights!
Is there a way of finding out when this group was added to the user account?

Thanks
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
  • +2
16 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 39277306
which group?
do u mean when user were added to specific group?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277307
domain admins
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277308
yes
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 
LVL 11

Accepted Solution

by:
mcnute earned 125 total points
ID: 39277309
You may not find out anymore, but you can in the future by modifying the logging properties of AD.
http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 250 total points
ID: 39277322
for future auditing, u need to enable auditing for account management and check the event viewer
on the DC's for event id:
632 (add global group)
636 (add local group)
currently, You can see the last modification of the useraccount on the "Object" tab.
from http://www.winvistatips.com/define-date-user-has-been-added-ad-group-t708268.html
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277332
enable auditing for account mgt.  - is this the same as mcnute has said?
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 250 total points
ID: 39277423
yes kinda, u need to go and configure which audit properties you are interested in.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277442
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 125 total points
ID: 39277554
Hi,

You can very well find who/when its been added.

You need to have follow the below steps,

step1:Use the command to get the DN path, dsquery user -name "logonid"

Need to replace logonid with actual userID. Now you'll get the DN Path of the account then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt

Navigate to c->temp & check for "meta.txt" open it & search the list of changes happened in the object. In that you'll get DC name in which the action of providing "full admin rights"  is performed. Search the security log's you'll came to know the ID who performed that activity.
0
 
LVL 2

Expert Comment

by:titan123
ID: 39277985
Is the auditing enabled ...???

If yes you can check at the logs.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39278014
It looks like (as per my link) its already been set, but i cannot find any records in the event logs...
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 39289465
Hi,

Have you followed the steps which i have given above..,
0
 
LVL 2

Expert Comment

by:titan123
ID: 39289653
If you are unable to find at the events logs at this case it is very impossible to say that this can be execute or not. Just for this case it is like if you would be using a third party applications also at that moment of case also this is bit impossible as they also can configure your ad auditing as you will go along with your Auditing Started.

If you want you can check out various auditing tools that are available but still there would be a compliance in the reports.

Thanks.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39289654
@  vin_shooter - yes.
@ titan - ?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39317110
Never got there in the end..
Oh well
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question