Solved

Who disabled my coworker's active directory account?

Posted on 2014-01-15
7
1,752 Views
Last Modified: 2014-10-21
I have admistrator access to the user OU but not the domain controller.
I tried Get-ADUser powershell command to see who disable an active directory account and it has alot if information but did not tell me who disabled the account. Any suggestions?
0
Comment
Question by:355LT1
7 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 39784553
I believe you have to have auditing enabled in order for that to be seen, but it's one of those things that has to be done BEFORE the incident.  

http://support.microsoft.com/kb/814595

It's for 2003, but the core of it is the same.
0
 

Author Comment

by:355LT1
ID: 39784656
I'm confused. If I can see who modifies and file, why can't I see who modied an active directory user object?
0
 
LVL 16

Accepted Solution

by:
Dale Harris earned 168 total points
ID: 39784747
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/d13bbd74-1570-42f5-bdcf-5b597f1887c0/how-to-determine-who-last-modified-ad-object?forum=ITCG

To know who last modified an AD object, you need to enable object access auditing, and set ACL's on the objects you want to audit.  AD does not record who changed an object, just the timestamp of the last change.

If the auditing wasn't enabled and the proper SACLs set when the change was made, then there won't be a record of who made that change.

Here's some directions: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

And lastly, 2008 user friendly instructions are here: http://blog.pluralsight.com/windows-server-2008-auditing-active-directory

Hope that helps

-Dale Harris
0
 
LVL 4

Assisted Solution

by:michaelalphi
michaelalphi earned 166 total points
ID: 39784901
Absolutely, you must keep the “Account Management” auditing option enabled to track such kind of changes.
Furthermore, You can follow this Blog for more details.

To track the deleted object you can check the directory service event for the same. If auditing is enabled event id 630 will be logged. You can also use LDP to track the same.
However there may be a case that event may be overridden depending upon the size/policy of event log defined. You can also use third party tool.

Also, check this one to know who modified an AD object
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 39785170
You can use the following powershell command below to get all of your disabled users in Active Directory.

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $false} | select Name, sAMAccountName, Enabled, whenChanged

Open in new window


The command above will get all of the disabled users and also show you when they were disabled.

It will not however get the details of who disabled the account. Auditing needs to be setup initally on the DC's and then you will need to go through the security logs to get this information.

The hard thing about finding out who disabled your account is if you have many domain controllers in your environment you will need to check the logs on all of them. The log is present on the DC which the user (making the change) was connected to at the time. By this time if your logs have not been increased they usually overwrite themselves by that time as there are thousands of security logs a minute.

Personally best way to manage this is using AD Audit Plus. This software is not free but worth every penny. However, they do have a 30 day free trial.

The logs are collected from all of the DC's and presented in a web interface view which tells you everything that is happening.

AD Audit Plus Download

Will.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A brief introduction to what I consider to be the best editor for PowerShell.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now