Solved

Who disabled my coworker's active directory account?

Posted on 2014-01-15
7
1,704 Views
Last Modified: 2014-10-21
I have admistrator access to the user OU but not the domain controller.
I tried Get-ADUser powershell command to see who disable an active directory account and it has alot if information but did not tell me who disabled the account. Any suggestions?
0
Comment
Question by:355LT1
7 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 39784553
I believe you have to have auditing enabled in order for that to be seen, but it's one of those things that has to be done BEFORE the incident.  

http://support.microsoft.com/kb/814595

It's for 2003, but the core of it is the same.
0
 

Author Comment

by:355LT1
ID: 39784656
I'm confused. If I can see who modifies and file, why can't I see who modied an active directory user object?
0
 
LVL 16

Accepted Solution

by:
Dale Harris earned 168 total points
ID: 39784747
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/d13bbd74-1570-42f5-bdcf-5b597f1887c0/how-to-determine-who-last-modified-ad-object?forum=ITCG

To know who last modified an AD object, you need to enable object access auditing, and set ACL's on the objects you want to audit.  AD does not record who changed an object, just the timestamp of the last change.

If the auditing wasn't enabled and the proper SACLs set when the change was made, then there won't be a record of who made that change.

Here's some directions: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

And lastly, 2008 user friendly instructions are here: http://blog.pluralsight.com/windows-server-2008-auditing-active-directory

Hope that helps

-Dale Harris
0
 
LVL 4

Assisted Solution

by:michaelalphi
michaelalphi earned 166 total points
ID: 39784901
Absolutely, you must keep the “Account Management” auditing option enabled to track such kind of changes.
Furthermore, You can follow this Blog for more details.

To track the deleted object you can check the directory service event for the same. If auditing is enabled event id 630 will be logged. You can also use LDP to track the same.
However there may be a case that event may be overridden depending upon the size/policy of event log defined. You can also use third party tool.

Also, check this one to know who modified an AD object
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 39785170
You can use the following powershell command below to get all of your disabled users in Active Directory.

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $false} | select Name, sAMAccountName, Enabled, whenChanged

Open in new window


The command above will get all of the disabled users and also show you when they were disabled.

It will not however get the details of who disabled the account. Auditing needs to be setup initally on the DC's and then you will need to go through the security logs to get this information.

The hard thing about finding out who disabled your account is if you have many domain controllers in your environment you will need to check the logs on all of them. The log is present on the DC which the user (making the change) was connected to at the time. By this time if your logs have not been increased they usually overwrite themselves by that time as there are thousands of security logs a minute.

Personally best way to manage this is using AD Audit Plus. This software is not free but worth every penny. However, they do have a 30 day free trial.

The logs are collected from all of the DC's and presented in a web interface view which tells you everything that is happening.

AD Audit Plus Download

Will.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now