No announcement yet.

Track AD activity

  • Filter
  • Time
  • Show
Clear All
new posts

  • Track AD activity

    Someone in my team moved an OU from its place. This caused havoc in the office. We were successessfully able to restore the OU to its original position and settings but want to catch the culprit.

    Is there anyway I can find out who did it? We do not have Auditing of Object Access in Default DC policy so event logs is out of the question.

    Any help will be greatly appreciated.



  • #2
    Re: Track AD activity

    We had this problem with our Service Desk - they would regularly delete and/or move OUs by mistake.

    Rather than find out who did it, why don't you prevent it happening again?

    See the script in this thread, which will remove explicitly defined permissions for a named user or group on OUs.

    Then, at the Domain Object level, set permissions on OU Objects only, for the user or group who are doing this by mistake (it could only be account operators or higher), to "DENY" for delete object, write all properties, write and change permissions.

    BE CAREFUL - if you DENY Domain Admins this permission, they will not be able to get it back without taking ownership. I suggest you start with Account Operators and wait to see if it happens again. Also set auditing on OUs so that you can discover who does it next time, so that you can apply this process to that person's group.

    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you


    • #3
      Re: Track AD activity

      No auditing turned on + no logs => no way to find out who did it. Looks like it's a bout time to review your auditing policy.
      Guy Teverovsky
      "Smith & Wesson - the original point and click interface"


      • #4
        Re: Track AD activity

        Thank you GuyT and StoneLaughter. This is the first time that such a thing happened. We have turned on the Auditing Policy now. I guess thats all that can be done for now.

        Thanks again for your help!!


        • #5
          Re: Track AD activity

          Don,t forget to save logs daily / twice in a day, or logs may be overwritten.
          MCSE 2003,MCSA- Messaging 2003, VCP