[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

which group the user was in the past ?

Posted on 2015-01-15
5
Medium Priority
?
122 Views
Last Modified: 2015-01-19
Hi Experts,

is it possible to find in which user group a user was in the past ?
It is nearly one month ago.
Maybe the logs ?
0
Comment
Question by:Eprs_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1000 total points
ID: 40551765
All of these details are logged in the Domain Controllers Security Logs on each domain controller separately. Depending on what domain controller the user authentication change was made on will be the DC that you are going to want to look at. Typically with the Security Logs if you leave the default size they will get over written quickly.

If it has been over a month ago you are probably out of luck unless you have setup Event Subscriptions and copy/move the logs to a different server where you can go through them.

A good Auditing program for AD is AD Audit Plus. It is not free but it is not expensive either. Great tool and easy to use. Unfortunately even using this product you will not be able to retrieve the info you are looking for if the logs are not present.

AD Audit Plus
AD Audit Plus

Will.
0
 
LVL 12

Assisted Solution

by:Dave
Dave earned 1000 total points
ID: 40553150
If you have backups you may be able to restore a DC to an isolated virtual machine and check that way. Just be very careful to keep it completely separate from your live environment.  Although if its only 30 days old and it does find live, and you have more than one DC, the newer data/attributes on the domain will quickly over write the old restored info, which won't disrupt service but won't help much finding the info you need.

Typically, by default, you probably don't have group membership changes logged in the Domain Controller security logs so you wasn't have this info.  Also note that the "member of" attribute on a user is what is called a "back linked" object so I don't think you can audit changes to it directly, only via the corresponding "member of" attribute of the group.

Even if you do they probably roll over more often than once a month. If you want to log these changes then you need to set appropriate Group Policies on the "Domain Controllers" OU but of course this will increase the amount of logging and the event logs will then roll over more quickly.
 
If you need log retention for Audit and Governance reports you may need a log aggregation and exploration tools. If you don't generate many events then Splunk can be a good tool but I had many problems getting it to log this type of event:-

http://www.splunk.com/

I have also used SolarWinds Log and Event Manager which was easier to set up but which can be expensive...

http://www.solarwinds.com/log-event-manager.aspx

and I know GFI have a tool in that space:-

http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager
0
 
LVL 12

Expert Comment

by:Dave
ID: 40553154
Also note if you are reviewing what you log and how you handle it there is a UK Good Practice guide GPG13 which can help. Info here:-

http://www.gpg13.com/
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40553587
In order to have group membership audit you will need to ensure that under the default domain policy you have "Audit Account Management" enabled Success and failure.

Once you have this setting enabled on the Default Domain Policy you will definitely see events related to Group Membership Access, in the Security Log.

If this policy was not enabled (and it is not by default) are out of luck. Even restoring your domain controller to an earlier date will not help.

Will.
0
 

Author Comment

by:Eprs_Admin
ID: 40557188
That helps a lot thanks.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question