Re: Who deleted my OU ?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Herb Martin" <news@xxxxxxxxxxxxxx>
Date: Wed, 19 Apr 2006 09:09:17 -0500

"Julian" <Julian@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AFFE7E53-AC32-4ECD-A5BB-B3D64327A180@xxxxxxxxxxxxxxxx

Okay, so we have 4 domain admins and knowledge of the admin password. I
know
, I know ...
Yesterday , I had to do my first authoritative restore because one of the
above deleted an OU containing user acc's.This is not a pleasant
experiencing
I'll let you know. Anyhow , AD is up and running and all users happy.
Auditing was enabled on that DC prior to the OU going "missing" and now I
need to find out who deleted the OU so that I can break their knuckles. I
have persued the "directory service" logs but not sure what I am looking
for.I can also narrow down the time frame as not DC's had the replicated
changes.
So... can anyone help ?

You cannot do this (find the culprit) unless you were already
AUDITING either DSObjects (this on specifically) or Account
Management (I THINK OUs are included in that) generally.

Or, the fool will admit it. <grin>

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

.

Prev by Date: Re: adam manager user
Next by Date: Replmon
Previous by thread: Re: Who deleted my OU ?
Next by thread: Re: Who deleted my OU ?
Index(es):
- Date
- Thread

Relevant Pages

Re: Can you audit file access within Sharepoint Services 3.0?
... you can't enable it with Windows Explorer nor can you enable it with any out of the box stsadm command. ... Maybe one of the SharePoint-specific management tools from Quest Software or AvePoint allows you to view those logs but I haven't checked. ... an interface to turn on/off auditing; ... view the audit records so you'd have to build that as well. ...
(microsoft.public.sharepoint.windowsservices)
Re: log file how to?
... Once auditing is enabled, you might also try ElUnDump for html-based reports ... of Windows event logs. ... > You can enable auditing on your computers however for what you would want ...
(microsoft.public.win2000.networking)
RE: Trace of 139 attack?
... Enabling auditing is as important as what you enable. ... data in the logs, as well. ... That way, if the attacker ... Make international calls for as low as $.04/minute with Yahoo! ...
(Focus-Microsoft)
Re: User logging
... shouldn't....but be careful what auditing you choose to enable! ... I'm really thinking a keylog app is more what you need. ... Shouldn't, either, if you set your event logs to reasonable sizes before ... misuse is happening out of office hours. ...
(microsoft.public.windowsxp.security_admin)
Re: Keep admins off of client machines
... but if you have your auditing set correctly there will be ... > monitor the event logs and then do some action such as e-mail or page you. ... > As part of your overall security you would have auditing on computer room ... > settings at what time, when they were turned back on and who was in the ...
(microsoft.public.windows.server.sbs)