Who did that?!

  • Thread starter Thread starter Orbital
  • Start date Start date
O

Orbital

Hi All,

It looks like someone's changed the name of one of my OU's, and I need to
find out who. I see a date within ADSI editor under the 'whenChanged'
value, but could this just be someone adding a new user or group to the OU?
I'm presuming such an OU name change would reside within the Sec logs on one
of my DC's?


Many Thanks in advance,
Orb.
 
Unless you have auditing of AD enabled (not the default) then you won't be able
to tell who did it. But you can tell when it was done and what DC mastered the
change.

Use repadmin with the /showmeta switch to show the metadata for the OU, look at
the ou attribute and it will tell you when and where the change was originated.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Hi Joe,

Sorry forgot to mention this, but I have previously enabled auditing within
my directory.

Thanks for the advice, I'll take a look.

With Kind Regards,
Orb..
 
Ok, since you have, you just have to find the DC and time of the originating
change and then go look at the logs on that DC at that time.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Hi Joe,

Thanks for your reply. I know I could just check each of my DC's
individually, but is there a way in which I could tell for sure which
controller made the change- or is this where the REPADMIN command comes in?

Thanks again for your help,
Orb.
 
A robust an inexpensive solution that can easily do this for you is
Active Administrator by ScriptLogic. Active Administrator centrally
audits the security event logs on your domain controllers. By auditing
the changes made to Active Directory permissions or group policies, you
can find out what changes were made in Active Directory, who made
changes, when the change was made and on which server (DC) it was made
on without having to filter through potentially thousands of event log
entries. Active Administrator can even email you when changes are made
in real time.

The Security Event Log Auditing in AA allows you to select which events
you would like to monitor (you may not want to collect every event that
occurs on your DCs for instance) so they can be stored in the packaged
MSDE database, or an existing SQL Server database. Once stored in the
central repository, AA will allow you to use filter criteria to build
your event reporting. The filter criteria available to build the
reports include user(s), date range, event(s), server(s) (DC) and/or
description mask(s).

You can check it out here:

http://www.scriptlogic.com/products/activeadmin/

Hope this helps!
 
That is where the repadmin command comes in. It will tell you the time and place
of the originating change.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top