Solved

How to find a change of data in AD?

Posted on 2013-06-26
16
271 Views
Last Modified: 2014-07-31
A user has been given full admin rights!
Is there a way of finding out when this group was added to the user account?

Thanks
0
Comment
Question by:CHI-LTD
  • 7
  • 3
  • 2
  • +2
16 Comments
 
LVL 42

Expert Comment

by:sedgwick
ID: 39277306
which group?
do u mean when user were added to specific group?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277307
domain admins
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277308
yes
0
 
LVL 11

Accepted Solution

by:
mcnute earned 125 total points
ID: 39277309
You may not find out anymore, but you can in the future by modifying the logging properties of AD.
http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 250 total points
ID: 39277322
for future auditing, u need to enable auditing for account management and check the event viewer
on the DC's for event id:
632 (add global group)
636 (add local group)
currently, You can see the last modification of the useraccount on the "Object" tab.
from http://www.winvistatips.com/define-date-user-has-been-added-ad-group-t708268.html
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277332
enable auditing for account mgt.  - is this the same as mcnute has said?
0
 
LVL 42

Assisted Solution

by:sedgwick
sedgwick earned 250 total points
ID: 39277423
yes kinda, u need to go and configure which audit properties you are interested in.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:CHI-LTD
ID: 39277442
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 125 total points
ID: 39277554
Hi,

You can very well find who/when its been added.

You need to have follow the below steps,

step1:Use the command to get the DN path, dsquery user -name "logonid"

Need to replace logonid with actual userID. Now you'll get the DN Path of the account then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt

Navigate to c->temp & check for "meta.txt" open it & search the list of changes happened in the object. In that you'll get DC name in which the action of providing "full admin rights"  is performed. Search the security log's you'll came to know the ID who performed that activity.
0
 
LVL 2

Expert Comment

by:titan123
ID: 39277985
Is the auditing enabled ...???

If yes you can check at the logs.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39278014
It looks like (as per my link) its already been set, but i cannot find any records in the event logs...
0
 
LVL 5

Expert Comment

by:vin_shooter
ID: 39289465
Hi,

Have you followed the steps which i have given above..,
0
 
LVL 2

Expert Comment

by:titan123
ID: 39289653
If you are unable to find at the events logs at this case it is very impossible to say that this can be execute or not. Just for this case it is like if you would be using a third party applications also at that moment of case also this is bit impossible as they also can configure your ad auditing as you will go along with your Auditing Started.

If you want you can check out various auditing tools that are available but still there would be a compliance in the reports.

Thanks.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39289654
@  vin_shooter - yes.
@ titan - ?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39317110
Never got there in the end..
Oh well
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now