Solved

which group the user was in the past ?

Posted on 2015-01-15
5
91 Views
Last Modified: 2015-01-19
Hi Experts,

is it possible to find in which user group a user was in the past ?
It is nearly one month ago.
Maybe the logs ?
0
Comment
Question by:Eprs_Admin
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 250 total points
ID: 40551765
All of these details are logged in the Domain Controllers Security Logs on each domain controller separately. Depending on what domain controller the user authentication change was made on will be the DC that you are going to want to look at. Typically with the Security Logs if you leave the default size they will get over written quickly.

If it has been over a month ago you are probably out of luck unless you have setup Event Subscriptions and copy/move the logs to a different server where you can go through them.

A good Auditing program for AD is AD Audit Plus. It is not free but it is not expensive either. Great tool and easy to use. Unfortunately even using this product you will not be able to retrieve the info you are looking for if the logs are not present.

AD Audit Plus
AD Audit Plus

Will.
0
 
LVL 12

Assisted Solution

by:Dave
Dave earned 250 total points
ID: 40553150
If you have backups you may be able to restore a DC to an isolated virtual machine and check that way. Just be very careful to keep it completely separate from your live environment.  Although if its only 30 days old and it does find live, and you have more than one DC, the newer data/attributes on the domain will quickly over write the old restored info, which won't disrupt service but won't help much finding the info you need.

Typically, by default, you probably don't have group membership changes logged in the Domain Controller security logs so you wasn't have this info.  Also note that the "member of" attribute on a user is what is called a "back linked" object so I don't think you can audit changes to it directly, only via the corresponding "member of" attribute of the group.

Even if you do they probably roll over more often than once a month. If you want to log these changes then you need to set appropriate Group Policies on the "Domain Controllers" OU but of course this will increase the amount of logging and the event logs will then roll over more quickly.
 
If you need log retention for Audit and Governance reports you may need a log aggregation and exploration tools. If you don't generate many events then Splunk can be a good tool but I had many problems getting it to log this type of event:-

http://www.splunk.com/

I have also used SolarWinds Log and Event Manager which was easier to set up but which can be expensive...

http://www.solarwinds.com/log-event-manager.aspx

and I know GFI have a tool in that space:-

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager
0
 
LVL 12

Expert Comment

by:Dave
ID: 40553154
Also note if you are reviewing what you log and how you handle it there is a UK Good Practice guide GPG13 which can help. Info here:-

http://www.gpg13.com/
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40553587
In order to have group membership audit you will need to ensure that under the default domain policy you have "Audit Account Management" enabled Success and failure.

Once you have this setting enabled on the Default Domain Policy you will definitely see events related to Group Membership Access, in the Security Log.

If this policy was not enabled (and it is not by default) are out of luck. Even restoring your domain controller to an earlier date will not help.

Will.
0
 

Author Comment

by:Eprs_Admin
ID: 40557188
That helps a lot thanks.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question