Without auditing enabled want to check who renamed an OU in AD

i would like the exact time in which to see the last change on an object name was changed and from which DC it orginated (there was a renaming of an OU without auditing enabled)

Michelangelo mentioned it was possible to do this and check the kerberos tickets as well an outline of this would be great
LVL 1
Indie101Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITguy565Commented:
Despite what you have heard, to my knowledge this is not possible without the proper auditing being in place. You could review the security logs, and look at specific Kerberos events, but it would take you years to filter them all. Another hurdle you would need to overcome is narrowing the events down to a single person and then determining which events pertain to that given action.
0
Indie101Author Commented:
I have the time of the change from a 3rd party tool does that help it narrowing it down
0
footechCommented:
You can see where an object change originated (which DC) by using
repadmin /showobjmeta <dcname> <OU distinguishedName>
See repadmin /?:showobjmeta for more info.

However, as far as using Kerberos tickets or events to narrow down to a specific person - you may be able to find some correlation which narrows down to a few people, but I wouldn't be confident at all in tracking to a specific person the rename operation, especially if you had multiple admins logged on or doing operations at the same time.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Sara TeasdaleCommented:
You can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships. Please checkout

https://www.netwrix.com/how_to_detect_changes_to_organizational_units_and_groups_in_active_directory.html

NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html

Quest: http://www.quest.com/changeauditor-for-active-directory/
0
ITguy565Commented:
@Sara,

That is very true, but you must have auditing enabled for those tools to function.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.