Solved

which group the user was in the past ?

Posted on 2015-01-15
5
75 Views
Last Modified: 2015-01-19
Hi Experts,

is it possible to find in which user group a user was in the past ?
It is nearly one month ago.
Maybe the logs ?
0
Comment
Question by:Eprs_Admin
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
Comment Utility
All of these details are logged in the Domain Controllers Security Logs on each domain controller separately. Depending on what domain controller the user authentication change was made on will be the DC that you are going to want to look at. Typically with the Security Logs if you leave the default size they will get over written quickly.

If it has been over a month ago you are probably out of luck unless you have setup Event Subscriptions and copy/move the logs to a different server where you can go through them.

A good Auditing program for AD is AD Audit Plus. It is not free but it is not expensive either. Great tool and easy to use. Unfortunately even using this product you will not be able to retrieve the info you are looking for if the logs are not present.

AD Audit Plus
AD Audit Plus

Will.
0
 
LVL 12

Assisted Solution

by:Dave
Dave earned 250 total points
Comment Utility
If you have backups you may be able to restore a DC to an isolated virtual machine and check that way. Just be very careful to keep it completely separate from your live environment.  Although if its only 30 days old and it does find live, and you have more than one DC, the newer data/attributes on the domain will quickly over write the old restored info, which won't disrupt service but won't help much finding the info you need.

Typically, by default, you probably don't have group membership changes logged in the Domain Controller security logs so you wasn't have this info.  Also note that the "member of" attribute on a user is what is called a "back linked" object so I don't think you can audit changes to it directly, only via the corresponding "member of" attribute of the group.

Even if you do they probably roll over more often than once a month. If you want to log these changes then you need to set appropriate Group Policies on the "Domain Controllers" OU but of course this will increase the amount of logging and the event logs will then roll over more quickly.
 
If you need log retention for Audit and Governance reports you may need a log aggregation and exploration tools. If you don't generate many events then Splunk can be a good tool but I had many problems getting it to log this type of event:-

http://www.splunk.com/

I have also used SolarWinds Log and Event Manager which was easier to set up but which can be expensive...

http://www.solarwinds.com/log-event-manager.aspx

and I know GFI have a tool in that space:-

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager
0
 
LVL 12

Expert Comment

by:Dave
Comment Utility
Also note if you are reviewing what you log and how you handle it there is a UK Good Practice guide GPG13 which can help. Info here:-

http://www.gpg13.com/
0
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
In order to have group membership audit you will need to ensure that under the default domain policy you have "Audit Account Management" enabled Success and failure.

Once you have this setting enabled on the Default Domain Policy you will definitely see events related to Group Membership Access, in the Security Log.

If this policy was not enabled (and it is not by default) are out of luck. Even restoring your domain controller to an earlier date will not help.

Will.
0
 

Author Comment

by:Eprs_Admin
Comment Utility
That helps a lot thanks.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now