Solved

Who disabled my coworker's active directory account?

Posted on 2014-01-15
7
2,023 Views
Last Modified: 2014-10-21
I have admistrator access to the user OU but not the domain controller.
I tried Get-ADUser powershell command to see who disable an active directory account and it has alot if information but did not tell me who disabled the account. Any suggestions?
0
Comment
Question by:355LT1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Expert Comment

by:Dale Harris
ID: 39784553
I believe you have to have auditing enabled in order for that to be seen, but it's one of those things that has to be done BEFORE the incident.  

http://support.microsoft.com/kb/814595

It's for 2003, but the core of it is the same.
0
 

Author Comment

by:355LT1
ID: 39784656
I'm confused. If I can see who modifies and file, why can't I see who modied an active directory user object?
0
 
LVL 16

Accepted Solution

by:
Dale Harris earned 168 total points
ID: 39784747
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/d13bbd74-1570-42f5-bdcf-5b597f1887c0/how-to-determine-who-last-modified-ad-object?forum=ITCG

To know who last modified an AD object, you need to enable object access auditing, and set ACL's on the objects you want to audit.  AD does not record who changed an object, just the timestamp of the last change.

If the auditing wasn't enabled and the proper SACLs set when the change was made, then there won't be a record of who made that change.

Here's some directions: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

And lastly, 2008 user friendly instructions are here: http://blog.pluralsight.com/windows-server-2008-auditing-active-directory

Hope that helps

-Dale Harris
0
 
LVL 4

Assisted Solution

by:michaelalphi
michaelalphi earned 166 total points
ID: 39784901
Absolutely, you must keep the “Account Management” auditing option enabled to track such kind of changes.
Furthermore, You can follow this Blog for more details.

To track the deleted object you can check the directory service event for the same. If auditing is enabled event id 630 will be logged. You can also use LDP to track the same.
However there may be a case that event may be overridden depending upon the size/policy of event log defined. You can also use third party tool.

Also, check this one to know who modified an AD object
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 166 total points
ID: 39785170
You can use the following powershell command below to get all of your disabled users in Active Directory.

Get-ADUser -filter * -properties * | ? {$_.Enabled -eq $false} | select Name, sAMAccountName, Enabled, whenChanged

Open in new window


The command above will get all of the disabled users and also show you when they were disabled.

It will not however get the details of who disabled the account. Auditing needs to be setup initally on the DC's and then you will need to go through the security logs to get this information.

The hard thing about finding out who disabled your account is if you have many domain controllers in your environment you will need to check the logs on all of them. The log is present on the DC which the user (making the change) was connected to at the time. By this time if your logs have not been increased they usually overwrite themselves by that time as there are thousands of security logs a minute.

Personally best way to manage this is using AD Audit Plus. This software is not free but worth every penny. However, they do have a 30 day free trial.

The logs are collected from all of the DC's and presented in a web interface view which tells you everything that is happening.

AD Audit Plus Download

Will.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question