Re: Account disapears

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Hunter Coleman (glacialtill_at_yahoo.com)
Date: 07/12/04 

Date: Mon, 12 Jul 2004 16:42:00 -0600

Sounds like they know pretty quickly when the account disappears. I'd just
use EventComb and search the Security logs for event ID 630 with a best
guess for the time window, optionally including the account ID in the
search. That shouldn't be too much resulting data to look through for the
exact audit event. 

--
Hunter
"Jason Robarts [MSFT]" <jasonrob@online.microsoft.com> wrote in message
news:eHuUiyFaEHA.2944@TK2MSFTNGP11.phx.gbl...
> This KB explains how to turn on Active Directory auditing in Windows
Server
> 2003:   http://support.microsoft.com/default.aspx?kbid=814595  Here's a
> similar article for Windows 2000:
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;314955  Per the
help
> on the auditing policies for Windows Server 2003 we find the Account
> Management policy is set to audit success events by default so that may be
> sufficient.  I had to turn on the Account Management auditing to audit
> success events to detect the deletion in Windows 2000.
>
> If you have a small number of DCs and a small number of changes occurring
on
> your DCs you may be able to just browse your event log and find out what
> user is deleting the account.  If there is just too much information to
> check, below is information on how to find out when the deletion happened
> and on what DC.  The general strategy is we're going to find the deleted
> object in the Deleted Objects container, then query the object's metadata
to
> find the time the deletion occurred and on what DC.  That allows us to
focus
> our search in the eventlog for the auditing event.  If someone knows a
> cleaner way to do this please post a reply.
>
> First you'll find the object in the Deleted Objects container.
> http://support.microsoft.com/default.aspx?scid=kb;en-us;258310  has
> information on how to do this.  Then I'd take the current DN of the object
> (it was changed by the deletion operation) and use it as an argument to
> repadmin /showobjmeta
>
(http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techr
ef/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techr
ef/en-us/repadmin_syntax.asp).
> So on my test domain we find the following object in the deleted objects
> container:
>
>
> >> Dn: CN=foobar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
> >> Objects,DC=corp,DC=contoso,DC=com
>  4> objectClass: top; person; organizationalPerson; user;
>  1> cn: foobar
> DEL:cc358fbc-4abf-466b-b2d5-091928b39db6;
>  1> distinguishedName:
> CN=foobar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
> Objects,DC=corp,DC=contoso,DC=com;
>  1> instanceType: 0x4 = ( IT_WRITE );
>  1> whenCreated: 07/12/2004 13:32:15 Pacific Standard Time Pacific
Daylight
> Time;
>  1> whenChanged: 07/12/2004 13:32:20 Pacific Standard Time Pacific
Daylight
> Time;
>  1> uSNCreated: 1260307;
>  1> isDeleted: TRUE;
>  1> uSNChanged: 1260316;
>  1> name: foobar
> DEL:cc358fbc-4abf-466b-b2d5-091928b39db6;
>  1> objectGUID: cc358fbc-4abf-466b-b2d5-091928b39db6;
>  1> userAccountControl: 0x202 = ( UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT );
>  1> objectSid: S-1-5-21-3436611310-4029176544-906490007-1109;
>  1> sAMAccountName: foobar;
>  1> lastKnownParent: CN=Users,DC=corp,DC=contoso,DC=com;
>  4> dSCorePropagationData: 07/12/2004 13:32:20 Pacific Standard Time
Pacific
> Daylight Time; 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight
> Time; 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight Time;
> 01/08/1601 07:10:56 Pacific Standard Time Pacific Daylight Time;
>
>
> We take the DN of the object and use repadmin to show the replication
> metadata:
>
> C:\Documents and Settings\Administrator>repadmin /showobjmeta localhost
> "CN=foob
> ar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
> Objects,DC=corp,DC=cont
> oso,DC=com"
>
> 27 entries.
> Loc.USN                          Originating DC   Org.USN  Org.Time/Date
> Ver Attribute
> =======                          =============== ========= =============
> === =========
> 1260307                 Data-Center-Site\ROOTDC1   1260307 2004-07-12
> 13:32:15
>   1 objectClass
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 cn
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 givenName
> 1260307                 Data-Center-Site\ROOTDC1   1260307 2004-07-12
> 13:32:15
>   1 instanceType
> 1260307                 Data-Center-Site\ROOTDC1   1260307 2004-07-12
> 13:32:15
>   1 whenCreated
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 displayName
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   1 isDeleted
> 1260311                 Data-Center-Site\ROOTDC1   1260311 2004-07-12
> 13:32:15
>   2 nTSecurityDescriptor
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 name
> 1260313                 Data-Center-Site\ROOTDC1   1260313 2004-07-12
> 13:32:15
>   3 userAccountControl
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 codePage
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 countryCode
> 1260309                 Data-Center-Site\ROOTDC1   1260309 2004-07-12
> 13:32:15
>   2 dBCSPwd
> 1260308                 Data-Center-Site\ROOTDC1   1260308 2004-07-12
> 13:32:15
>   1 logonHours
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   3 unicodePwd
> 1260308                 Data-Center-Site\ROOTDC1   1260308 2004-07-12
> 13:32:15
>   1 ntPwdHistory
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   3 pwdLastSet
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 primaryGroupID
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 supplementalCredentials
> 1260307                 Data-Center-Site\ROOTDC1   1260307 2004-07-12
> 13:32:15
>   1 objectSid
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 accountExpires
> 1260308                 Data-Center-Site\ROOTDC1   1260308 2004-07-12
> 13:32:15
>   1 lmPwdHistory
> 1260307                 Data-Center-Site\ROOTDC1   1260307 2004-07-12
> 13:32:15
>   1 sAMAccountName
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 sAMAccountType
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 userPrincipalName
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   1 lastKnownParent
> 1260316                 Data-Center-Site\ROOTDC1   1260316 2004-07-12
> 13:32:20
>   2 objectCategory
> 0 entries.
> Type    Attribute     Last Mod Time
Originating
> DC
> Loc.USN Org.USN Ver
> ======= ============  =============
> =================
> ======= ======= ===
>         Distinguished Name
>         =============================
>
> Looking for the Originating DC for the write on the isDeleted attribute we
> find the deletion was performed on ROOTDC1 at ~ 1:32 PM:
>
>  1 isDeleted
> 1260311                 Data-Center-Site\ROOTDC1   1260311 2004-07-12
> 13:32:15
>
> Then I'd look in the Security log in Event Viewer on that DC to try and
find
> the deletion event.  If you don't want to audit all of the DCs in your
> domain you might start by auditing the one the originating write occurred
> on.  Of course the deletion might not occur on that one the next time.
You
> can use this procedure to determine that the next time it happens.
>
> When I looked in the Server log on ROOTDC1 I found the following event:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Account Management
> Event ID: 630
> Date:  7/12/2004
> Time:  1:32:20 PM
> User:  CORP\administrator
> Computer: ROOTDC1
> Description:
> User Account Deleted:
>   Target Account Name: foobar
>   Target Domain: CORP
>   Target Account ID: foobar
> DEL:cc358fbc-4abf-466b-b2d5-091928b39db6
>   Caller User Name: administrator
>   Caller Domain: CORP
>   Caller Logon ID: (0x0,0x5B90B5)
>   Privileges: -
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> So we know the CORP\administrator account deleted the object.  That
> hopefully will get you started on tracking this.
>
>
>
> If you are using Windows 2000, repadmin has a /showmeta option that will
> give you the same information.  You'll want to take the value of the
> objectGUID attribute and pass it to repadmin like so:
>
> repadmin /showmeta "<GUID=696ab3b0-4bc0-4398-b630-988653db88b6>"
>
> for the object below.  The <GUID=[value of objectGUID attribute]> should
> work on Windows Server 2003 as well.
>
> >> Dn: CN=TestUser1134\
> DEL:696ab3b0-4bc0-4398-b630-988653db88b6,CN=Deleted
> Objects,DC=corp,DC=contoso,DC=com
>  1> cn: TestUser1134
> DEL:696ab3b0-4bc0-4398-b630-988653db88b6;
>  1> instanceType: 4;
>  1> isDeleted: TRUE;
>  1> distinguishedName: CN=TestUser1134\
> DEL:696ab3b0-4bc0-4398-b630-988653db88b6,CN=Deleted
> Objects,DC=corp,DC=contoso,DC=com;
>  4> objectClass: top; person; organizationalPerson; user;
>  1> objectGUID: 696ab3b0-4bc0-4398-b630-988653db88b6;
>  1> objectSid: S-15-6DECD52F-74BA50F4-320A1743-CA6;
>  1> name: TestUser1134
> DEL:696ab3b0-4bc0-4398-b630-988653db88b6;
>  1> sAMAccountName: TestUser1134;
>  1> userAccountControl: 546;
>  1> uSNChanged: 441793;
>  1> uSNCreated: 440337;
>  1> whenChanged: 6/16/2004 13:48:19 Pacific Standard Time Pacific Daylight
> Time;
>  1> whenCreated: 6/16/2004 13:47:35 Pacific Standard Time Pacific Daylight
> Time;
>
>
> Hope this helps.
>
> Jason
> -- 
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Jason" <mrstyle25@yahoo.com> wrote in message
> news:2b17e01c4682d$cb0adbc0$a501280a@phx.gbl...
> > Ok, you ready for a laugh, because i am full of tears. I
> > have an account that constantly removes itself from ACTIVE
> > DIRECTORY, when this happens 90% of the time the mailbox
> > is left intact [to reattach  later] but sometimes it will
> > delete as well. This user is an ADMIN and if i create an
> > INSTALL type account it still happens. This account has
> > been created by myself, him and others and it still
> > dissapears. We have no security holes and it is not an on
> > going prank, it has been going on and off for several
> > months now. Their is no discernable comonalities that
> > would explain this. Also, the account will sometiems give
> > tell-tell signs of troubles. The password will expire [set
> > to never expire] account will lock itself out and etc.
> > We've created new users for new employees and have yet to
> > have any problems with these new accounts and no problems
> > with any other ADMIN styled account. I/WE Need serious
> > help. We can't continue to have an account dissapear 5
> > times a day or work fine for a week and then disapear
> > again without cause. Thanks. Annoyed
>
>

Relevant Pages