Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Who disabled my coworker's active directory account?

Posted on 2014-01-15
7
Medium Priority
?
2,244 Views
Last Modified: 2014-10-21
I have admistrator access to the user OU but not the domain controller.
I tried Get-ADUser powershell command to see who disable an active directory account and it has alot if information but did not tell me who disabled the account. Any suggestions?
0
Comment
Question by:355LT1
7 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 39784553
I believe you have to have auditing enabled in order for that to be seen, but it's one of those things that has to be done BEFORE the incident.  

http://support.microsoft.com/kb/814595

It's for 2003, but the core of it is the same.
0
 

Author Comment

by:355LT1
ID: 39784656
I'm confused. If I can see who modifies and file, why can't I see who modied an active directory user object?
0
 
LVL 16

Accepted Solution

by:
Dale Harris earned 672 total points
ID: 39784747
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/d13bbd74-1570-42f5-bdcf-5b597f1887c0/how-to-determine-who-last-modified-ad-object?forum=ITCG

To know who last modified an AD object, you need to enable object access auditing, and set ACL's on the objects you want to audit.  AD does not record who changed an object, just the timestamp of the last change.

If the auditing wasn't enabled and the proper SACLs set when the change was made, then there won't be a record of who made that change.

Here's some directions: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

And lastly, 2008 user friendly instructions are here: http://blog.pluralsight.com/windows-server-2008-auditing-active-directory

Hope that helps

-Dale Harris
0
 
LVL 4

Assisted Solution

by:michaelalphi
michaelalphi earned 664 total points
ID: 39784901
Absolutely, you must keep the “Account Management” auditing option enabled to track such kind of changes.
Furthermore, You can follow this Blog for more details.

To track the deleted object you can check the directory service event for the same. If auditing is enabled event id 630 will be logged. You can also use LDP to track the same.
However there may be a case that event may be overridden depending upon the size/policy of event log defined. You can also use third party tool.

Also, check this one to know who modified an AD object
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 664 total points
ID: 39785170
You can use the following powershell command below to get all of your disabled users in Active Directory.

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $false} | select Name, sAMAccountName, Enabled, whenChanged

Open in new window


The command above will get all of the disabled users and also show you when they were disabled.

It will not however get the details of who disabled the account. Auditing needs to be setup initally on the DC's and then you will need to go through the security logs to get this information.

The hard thing about finding out who disabled your account is if you have many domain controllers in your environment you will need to check the logs on all of them. The log is present on the DC which the user (making the change) was connected to at the time. By this time if your logs have not been increased they usually overwrite themselves by that time as there are thousands of security logs a minute.

Personally best way to manage this is using AD Audit Plus. This software is not free but worth every penny. However, they do have a 30 day free trial.

The logs are collected from all of the DC's and presented in a web interface view which tells you everything that is happening.

AD Audit Plus Download

Will.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question