User/Computer Account Deletion

  • Thread starter Thread starter Jason
  • Start date Start date
J

Jason

Hi,

Appreciate if you can tell me is there a easier way
(tools?) to find out who deleted a particular user account
in a domain?

I have problem to search the security log since we have
about 100 domain controllers in the domain.

Thanks & Regards,
Jason
 
There is a tool in the Resource Kit called DUMPEL.EXE. This dumps your logs
even from remote machine. Use this script with appropriate changes to get
your answer:

create NAMES.CSV file with your DC names

DC001.mydomain.com
DCInTheOffice.hisdomain.org
DCNearMe.mil
DCNetbiosName

and use this script from from some .CMD file:


@echo off

del alllogs.txt

for /F "tokens=1 delims=," %%i in (names.csv) do (
dumpel -l Security -S \\%%i >> alllogs.txt
)

findstr /N /I /C:"system event" alllogs.txt






This script outputs all log entries to "alllogs.txt" file in the same
directory and then it searches for "system event" in the log. Replace the
"system event" with the name of your user (or something) and if finds some
entries for you. Such an entry will have its line number (from alllogs.txt)
prefixed.

Nice day Ondra.
 
Back
Top