Solved

Who disabled my coworker's active directory account?

Posted on 2014-01-15
7
1,941 Views
Last Modified: 2014-10-21
I have admistrator access to the user OU but not the domain controller.
I tried Get-ADUser powershell command to see who disable an active directory account and it has alot if information but did not tell me who disabled the account. Any suggestions?
0
Comment
Question by:355LT1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 39784553
I believe you have to have auditing enabled in order for that to be seen, but it's one of those things that has to be done BEFORE the incident.  

http://support.microsoft.com/kb/814595

It's for 2003, but the core of it is the same.
0
 

Author Comment

by:355LT1
ID: 39784656
I'm confused. If I can see who modifies and file, why can't I see who modied an active directory user object?
0
 
LVL 16

Accepted Solution

by:
Dale Harris earned 168 total points
ID: 39784747
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/d13bbd74-1570-42f5-bdcf-5b597f1887c0/how-to-determine-who-last-modified-ad-object?forum=ITCG

To know who last modified an AD object, you need to enable object access auditing, and set ACL's on the objects you want to audit.  AD does not record who changed an object, just the timestamp of the last change.

If the auditing wasn't enabled and the proper SACLs set when the change was made, then there won't be a record of who made that change.

Here's some directions: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

And lastly, 2008 user friendly instructions are here: http://blog.pluralsight.com/windows-server-2008-auditing-active-directory

Hope that helps

-Dale Harris
0
 
LVL 4

Assisted Solution

by:michaelalphi
michaelalphi earned 166 total points
ID: 39784901
Absolutely, you must keep the “Account Management” auditing option enabled to track such kind of changes.
Furthermore, You can follow this Blog for more details.

To track the deleted object you can check the directory service event for the same. If auditing is enabled event id 630 will be logged. You can also use LDP to track the same.
However there may be a case that event may be overridden depending upon the size/policy of event log defined. You can also use third party tool.

Also, check this one to know who modified an AD object
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 39785170
You can use the following powershell command below to get all of your disabled users in Active Directory.

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $false} | select Name, sAMAccountName, Enabled, whenChanged

Open in new window


The command above will get all of the disabled users and also show you when they were disabled.

It will not however get the details of who disabled the account. Auditing needs to be setup initally on the DC's and then you will need to go through the security logs to get this information.

The hard thing about finding out who disabled your account is if you have many domain controllers in your environment you will need to check the logs on all of them. The log is present on the DC which the user (making the change) was connected to at the time. By this time if your logs have not been increased they usually overwrite themselves by that time as there are thousands of security logs a minute.

Personally best way to manage this is using AD Audit Plus. This software is not free but worth every penny. However, they do have a 30 day free trial.

The logs are collected from all of the DC's and presented in a web interface view which tells you everything that is happening.

AD Audit Plus Download

Will.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question