Announcement

Collapse
No announcement yet.

AD Account History

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Account History

    This may be a silly question, but I can't see an obvious way to tell which account was last used to modify a particular user.

    I need to know who made the last modification on a particular user account.

    Does anyone know a way to find this out?

  • #2
    Re: AD Account History

    Auditing maybe?
    http://www.windowsecurity.com/articl...urity-Log.html
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: AD Account History

      Originally posted by aucyris View Post
      This may be a silly question, but I can't see an obvious way to tell which account was last used to modify a particular user.

      I need to know who made the last modification on a particular user account.

      Does anyone know a way to find this out?
      It depends whether auditing as been setup in AD.

      http://support.microsoft.com/kb/314955

      Not sure what AD version you are but should be similar in all editions. W2k8 gives you even more information.

      Edit: I was posing the same time as you Andy.

      Comment


      • #4
        Re: AD Account History

        On the audit policy, "Audit Account Management" is set to audit successes and failures. Is this what I need?

        Comment


        • #5
          Re: AD Account History

          Originally posted by aucyris View Post
          On the audit policy, "Audit Account Management" is set to audit successes and failures. Is this what I need?
          Is that policy assigned to the 'Default Domain Controller's' policy?

          Comment


          • #6
            Re: AD Account History

            Yes.

            I set all of the policies for default domain controllers to audit successes just to be sure.

            I forced a group policy update on the box, and to test I changed my phone number in Active Directory, but I can't find it in any of the logs.

            Comment


            • #7
              Re: AD Account History

              The audits should appear in the 'security log'.

              Comment


              • #8
                Re: AD Account History

                I've looked through them for the appropriate time window, and I can't find squat related to the phone number change.

                Can anyone post the contents of an example log entry after you change your telephone number, for example, in active directory?

                I'm wondering if something is broken with auditing/logging or if the audit logs just aren't that detailed.

                Comment


                • #9
                  Re: AD Account History

                  Originally posted by Virtual View Post
                  It depends whether auditing as been setup in AD.

                  http://support.microsoft.com/kb/314955

                  Not sure what AD version you are but should be similar in all editions. W2k8 gives you even more information.

                  Edit: I was posing the same time as you Andy.



                  People who are posers don't usually fess up to it. Your candor is refreshing.

                  Comment


                  • #10
                    Re: AD Account History

                    Originally posted by joeqwerty View Post
                    [/b]


                    People who are posers don't usually fess up to it. Your candor is refreshing.
                    Whoops. I won't edit my spelling error for 'comedy' value.

                    Comment


                    • #11
                      Re: AD Account History

                      Found it:

                      Event Type: Success Audit
                      Event Source: Security
                      Event Category: Directory Service Access
                      Event ID: 566
                      Date: 3/20/2009
                      Time: 12:18:08 PM
                      User: <DOMAIN>\USER (EDITED)
                      Computer: <DOMAIN CONTROLLER> (EDITED)
                      Description:
                      Object Operation:
                      Object Server: DS
                      Operation Type: Object Access
                      Object Type: user
                      Object Name: CN=<AUCYRIS>,CN=Users,DC=<DC>,DC=<DC>,DC=com (EDITED)
                      Handle ID: -
                      Primary User Name: <DOMAIN CONROLLER>$ (EDITED)
                      Primary Domain: <DOMAIN> (EDITED)
                      Primary Logon ID: (0x0,0x3E7)
                      Client User Name: <AUCYRIS> (EDITED)
                      Client Domain: <DOMAIN> (EDITED)
                      Client Logon ID: (0x0,0x22DF8E)
                      Accesses: Write Property

                      Properties:
                      Write Property
                      Personal Information
                      telephoneNumber
                      user
                      Additional Info:
                      Additional Info2:
                      Access Mask: 0x20

                      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

                      Comment


                      • #12
                        Re: AD Account History

                        LOL. Funny.

                        Comment


                        • #13
                          Re: AD Account History

                          Glad you now have aucyris.

                          Comment


                          • #14
                            Re: AD Account History

                            Problems solved so maybe aucyris should pose now?
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: AD Account History

                              I've got my picture phone ready...

                              Comment

                              Working...
                              X