Without auditing enabled want to check who renamed an OU in AD

i would like the exact time in which to see the last change on an object name was changed and from which DC it orginated (there was a renaming of an OU without auditing enabled)

Michelangelo mentioned it was possible to do this and check the kerberos tickets as well an outline of this would be great
Who is Participating?
You can see where an object change originated (which DC) by using
repadmin /showobjmeta <dcname> <OU distinguishedName>
See repadmin /?:showobjmeta for more info.

However, as far as using Kerberos tickets or events to narrow down to a specific person - you may be able to find some correlation which narrows down to a few people, but I wouldn't be confident at all in tracking to a specific person the rename operation, especially if you had multiple admins logged on or doing operations at the same time.
Despite what you have heard, to my knowledge this is not possible without the proper auditing being in place. You could review the security logs, and look at specific Kerberos events, but it would take you years to filter them all. Another hurdle you would need to overcome is narrowing the events down to a single person and then determining which events pertain to that given action.
Indie101Author Commented:
I have the time of the change from a 3rd party tool does that help it narrowing it down
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Sara TeasdaleCommented:
You can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships. Please checkout


NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html

Quest: http://www.quest.com/changeauditor-for-active-directory/

That is very true, but you must have auditing enabled for those tools to function.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.