Solved

How to find a change of data in AD?

Posted on 2013-06-26
16
278 Views
Last Modified: 2014-07-31
A user has been given full admin rights!
Is there a way of finding out when this group was added to the user account?

Thanks
0
Comment
Question by:CHI-LTD
  • 7
  • 3
  • 2
  • +2
16 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 39277306
which group?
do u mean when user were added to specific group?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277307
domain admins
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277308
yes
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 11

Accepted Solution

by:
mcnute earned 125 total points
ID: 39277309
You may not find out anymore, but you can in the future by modifying the logging properties of AD.
http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 250 total points
ID: 39277322
for future auditing, u need to enable auditing for account management and check the event viewer
on the DC's for event id:
632 (add global group)
636 (add local group)
currently, You can see the last modification of the useraccount on the "Object" tab.
from http://www.winvistatips.com/define-date-user-has-been-added-ad-group-t708268.html
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277332
enable auditing for account mgt.  - is this the same as mcnute has said?
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 250 total points
ID: 39277423
yes kinda, u need to go and configure which audit properties you are interested in.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277442
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 125 total points
ID: 39277554
Hi,

You can very well find who/when its been added.

You need to have follow the below steps,

step1:Use the command to get the DN path, dsquery user -name "logonid"

Need to replace logonid with actual userID. Now you'll get the DN Path of the account then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt

Navigate to c->temp & check for "meta.txt" open it & search the list of changes happened in the object. In that you'll get DC name in which the action of providing "full admin rights"  is performed. Search the security log's you'll came to know the ID who performed that activity.
0
 
LVL 2

Expert Comment

by:titan123
ID: 39277985
Is the auditing enabled ...???

If yes you can check at the logs.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39278014
It looks like (as per my link) its already been set, but i cannot find any records in the event logs...
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 39289465
Hi,

Have you followed the steps which i have given above..,
0
 
LVL 2

Expert Comment

by:titan123
ID: 39289653
If you are unable to find at the events logs at this case it is very impossible to say that this can be execute or not. Just for this case it is like if you would be using a third party applications also at that moment of case also this is bit impossible as they also can configure your ad auditing as you will go along with your Auditing Started.

If you want you can check out various auditing tools that are available but still there would be a compliance in the reports.

Thanks.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39289654
@  vin_shooter - yes.
@ titan - ?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39317110
Never got there in the end..
Oh well
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question