Announcement

Collapse
No announcement yet.

Who has deleted AD Object?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Who has deleted AD Object?

    Hi,

    I wanted to know who has deleted an object from my Active Directory.. This user is very sensitive user and it's working to authenticate between Linux Machine and MS Active Directory.

    Thanks in advanced,
    ================================
    HND: Higher National Diploma in
    Computer Science(IT)


    Passed:
    MCSA+Security 2003, VCP3, VCP4
    Done:VMware DSA
    ================================[/COLOR]

  • #2
    Re: Who has deleted AD Object?

    If it has already been deleted, choose from Tea Leaves, Crystal Balls or possibly a Ouija Board.

    Alternatively, get a list of the (one hopes limited number of) users who have permission and question them rigorously, possibly with bright lights and rubber hoses

    Server 2008 AD has auditing of object modifications, but, like all other auditing, it has to be turned on first so will not help you if something was done beforehand.

    Of course, you could do an authoritative restore from backup, couldn't you?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Who has deleted AD Object?

      hehehe hoses with matured guys loooooooooool that will never work...

      I posted this, because the Auditing is not enabled, and I thought if there is a way to get it since the Auditing is not enabled. Any way, lesson learned I will enable the Auditing from now for future cases.

      Thanks,
      ================================
      HND: Higher National Diploma in
      Computer Science(IT)


      Passed:
      MCSA+Security 2003, VCP3, VCP4
      Done:VMware DSA
      ================================[/COLOR]

      Comment


      • #4
        Re: Who has deleted AD Object?

        Hi,
        The problem solved by enabling an Audit Policy

        Enable Audit Policy:


        1. Logon to your DC, open Group Policy Management

        2. Right click Default Domain Policy, select Edit

        3. Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies Audit Policy, double click to open Audit Object Access & Audit Directory Service Access

        4. Check both options (Success and Failure) under Audit these objects, click OK

        When test user is created and deleted, you will receive an event 4726 in Windows 2008.

        Hope it helps someone else.

        Thanks,
        ================================
        HND: Higher National Diploma in
        Computer Science(IT)


        Passed:
        MCSA+Security 2003, VCP3, VCP4
        Done:VMware DSA
        ================================[/COLOR]

        Comment

        Working...
        X