WPC479
asked on
Windows Server 2012 logs
OS= Windows Server 2012
In AD, if I have an OU name changed from "OU=users" to "OU=Users", which log would I find this?
In AD, if I have an OU name changed from "OU=users" to "OU=Users", which log would I find this?
I think that if you have auditing turned on then I think you can look in the security log for Event ID 5139.
ASKER
5139 isn't correct in this.
I found the following list from a few locations, when auditing is turned on.
Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):
- 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749 – Group created
- 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751 – Member added to a group
- 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
- 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
- 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760 – Group changed
- 566/4662 - An operation was performed on an object(OU Changes) (Type: Directory Service Access).
I found the following list from a few locations, when auditing is turned on.
Open Event viewer and filter Security log to find event id’s (Windows Server 2003/2008-2012):
- 631, 635, 648, 653, 658, 663/4727, 4731, 4754 , 4759, 4744, 4749 – Group created
- 632, 636, 650, 655, 660, 665/4728, 4732, 4756 , 4761, 4746, 4751 – Member added to a group
- 633, 637, 651, 656, 661, 666/4729, 4733, 4757, 4762, 4747, 4752 – Member removed from a group
- 634, 638, 652, 662, 667, 657/4730, 4734, 4758, 4748, 4753, 4763 – Group deleted
- 639, 641, 649, 654, 659, 664/4735, 4737, 4745, 4750, 4755, 4760 – Group changed
- 566/4662 - An operation was performed on an object(OU Changes) (Type: Directory Service Access).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is awesome!
Thanks pony10us
Thanks pony10us
Glad I could help.
Sorry I didn't give you all the information in the first response. We are a bit busy here and so I rushed my answer. I should know better. :(
Sorry I didn't give you all the information in the first response. We are a bit busy here and so I rushed my answer. I should know better. :(