Announcement

Collapse
No announcement yet.

Unexpected OU Move problem tracking it down

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unexpected OU Move problem tracking it down

    I am looking to find a Windows Event ID from domain controller logs that might help me determine who and when an OU in our domain was moved.
    The move caused some fairly substantial issues for the affected users, I've been asked to track down all the details.
    A bunch of time at the microsoft site and other googl searching has not turned up anything specific.
    Anyone here know what Event ID's will point to OU Move (OU Operations) events?
    Thanks in advance!

  • #2
    Re: Unexpected OU Move problem tracking it down

    Were you Auditing changes to the AD Structure? If not, forget it; you'll be unlikely to find anything out without Microsoft assistance I don't think.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Unexpected OU Move problem tracking it down

      Given you have auditing of OU creation/deletion configured, you should be looking for event id 566 that looks like this:
      Code:
      Object Operation:
       	Object Server:	DS
       	Operation Type:	Object Access
       	Object Type:	domainDNS
       	Object Name:	DC=gute,DC=local
       	Handle ID:	-
       	Primary User Name:	SENECA$
       	Primary Domain:	GUTE
       	Primary Logon ID:	(0x0,0x3E7)
       	Client User Name:	guyt
       	Client Domain:	GUTE
       	Client Logon ID:	(0x0,0x85E9026)
       	Accesses:	Create Child 
      			
       	Properties:
      	Create Child 
      	organizationalUnit
      
       	Additional Info:	ou=t3,DC=gute,DC=local
       	Additional Info2:	OU=t3,OU=Test,DC=gute,DC=local
       	Access Mask:	0x1
      Note the
      Additional Info: ou=t3,DC=gute,DC=local
      Additional Info2: OU=t3,OU=Test,DC=gute,DC=local

      part. It contains the original and new location of the object.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"

      Comment


      • #4
        Re: Unexpected OU Move problem tracking it down

        Yes -- auditing is running, and all my other searching turned up was the '566' event code. So, thank you very much GUYT. If I find something interesting, I'll post it.
        I will be creating a little test of this type of event, who knows, it may be worthwhile.
        Thanks again, I appreciate the help.

        Comment

        Working...
        X