We help IT Professionals succeed at work.

Is there a way to see who edited and deleted local groups on a Windows 2012 Server?

Medium Priority
Last Modified: 2019-10-28
Is there a way to tell if a local group on a 2012 server was deleted and by who made the change and when it happened? Not AD groups, but the local groups on the machine, ie.. Remote Desktop Users, Power Users, ADSyncAdmins, etc..

Also, if a service was changed or reset to it's default settings, is there a change log of this on server 2012 to see who/when it happened?
Watch Question

Senior Systems Admin
Top Expert 2010
Only if you have auditing enabled on the computer, and only if the change occurred within the logging limits (either file size or date). To both. The system log will show you when a service was changed, but won't show you who made the change. Only audit logging will do that, and audit logging isn't enabled by default.


Thank you Adam - unfortunately it's a newly built VM and auditing was not yet enabled.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.