• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 128
  • Last Modified:

which group the user was in the past ?

Hi Experts,

is it possible to find in which user group a user was in the past ?
It is nearly one month ago.
Maybe the logs ?
0
Eprs_Admin
Asked:
Eprs_Admin
  • 2
  • 2
2 Solutions
 
Will SzymkowskiSenior Solution ArchitectCommented:
All of these details are logged in the Domain Controllers Security Logs on each domain controller separately. Depending on what domain controller the user authentication change was made on will be the DC that you are going to want to look at. Typically with the Security Logs if you leave the default size they will get over written quickly.

If it has been over a month ago you are probably out of luck unless you have setup Event Subscriptions and copy/move the logs to a different server where you can go through them.

A good Auditing program for AD is AD Audit Plus. It is not free but it is not expensive either. Great tool and easy to use. Unfortunately even using this product you will not be able to retrieve the info you are looking for if the logs are not present.

AD Audit Plus
AD Audit Plus

Will.
0
 
DaveCommented:
If you have backups you may be able to restore a DC to an isolated virtual machine and check that way. Just be very careful to keep it completely separate from your live environment.  Although if its only 30 days old and it does find live, and you have more than one DC, the newer data/attributes on the domain will quickly over write the old restored info, which won't disrupt service but won't help much finding the info you need.

Typically, by default, you probably don't have group membership changes logged in the Domain Controller security logs so you wasn't have this info.  Also note that the "member of" attribute on a user is what is called a "back linked" object so I don't think you can audit changes to it directly, only via the corresponding "member of" attribute of the group.

Even if you do they probably roll over more often than once a month. If you want to log these changes then you need to set appropriate Group Policies on the "Domain Controllers" OU but of course this will increase the amount of logging and the event logs will then roll over more quickly.
 
If you need log retention for Audit and Governance reports you may need a log aggregation and exploration tools. If you don't generate many events then Splunk can be a good tool but I had many problems getting it to log this type of event:-

http://www.splunk.com/

I have also used SolarWinds Log and Event Manager which was easier to set up but which can be expensive...

http://www.solarwinds.com/log-event-manager.aspx

and I know GFI have a tool in that space:-

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager
0
 
DaveCommented:
Also note if you are reviewing what you log and how you handle it there is a UK Good Practice guide GPG13 which can help. Info here:-

http://www.gpg13.com/
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
In order to have group membership audit you will need to ensure that under the default domain policy you have "Audit Account Management" enabled Success and failure.

Once you have this setting enabled on the Default Domain Policy you will definitely see events related to Group Membership Access, in the Security Log.

If this policy was not enabled (and it is not by default) are out of luck. Even restoring your domain controller to an earlier date will not help.

Will.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
That helps a lot thanks.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now