Re: Deleted User
- From: "chriss3 [MVP]" <nospamhere_chrisse@xxxxxxxxxx>
- Date: Thu, 21 Sep 2006 18:57:45 +0200
Hello, If Auditing wasn't configured properly during the moment this doesn't going to help this time, but here is a few resources on how to configure auditing and tacking of changed in Active Directory:
Audit Policy
This module describes how to set different settings that apply to auditing.
It also provides an example of audit events created by several common tasks.
http://www.microsoft.com/technet/security/guidance/secmod50.mspx
Microsoft Security: Threats and Countermeasures Guide - Audit Policy
An audit log records an entry whenever users perform certain actions that
you specify. For example, the modification of a file or a policy can trigger
an audit entry.
http://www.microsoft.com/technet/Security/topics/hardsys/tcg/tcgch03.mspx
Microsoft Windows XP - Audit Policy
This section covers:...
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/aptopnode.mspx
814595 - HOW TO: Audit Active Directory Objects in Windows Server 2003
This step-by-step article describes how to use Windows Server 2003 auditing
to track user activities and system-wide events in Active Directory. When
you use Windows Server 2003 auditing, you can track both user activities and
Windows Server 2003...
http://support.microsoft.com/default.aspx?scid=kb;en-us;814595
314955 - HOW TO: Audit Active Directory Objects in Windows 2000
This step-by-step article describes how to use Windows 2000 auditing to
track user activities and system-wide events in Active Directory. When you
use Windows 2000 auditing, you can track both user activities and Windows
2000 activities, which are...
http://support.microsoft.com/default.aspx?scid=kb;en-us;314955
HOW TO: Enable Local Security Auditing in Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;248260
HOWTO: Enabling Local Auditing Policies on Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
----------------------------------------------------------------
http://www.chrisse.se - Active Directory Resources
"Smurfster" <Smurfster@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:13A60BCF-551B-4E1C-A982-B96734406453@xxxxxxxxxxxxxxxx
If your security log does not over write as quick as the one I have, I would
suggest looking in the DC security Log for Event ID 630. Thsi will detail
the account that was deleted as well as the caller ID.
--
Smurfster
"FredT" wrote:
I have several administrators who can create and delete users in my 2003
native system. Late yesterday one of them deleted a upper level managers
account. I need to find out who deleted the account.
Thanks.
Fred
.
- References:
- Deleted User
- From: FredT
- Deleted User
- Prev by Date: Re: Deleted User
- Next by Date: Re: Delegating control
- Previous by thread: Re: Deleted User
- Next by thread: Re: Deleted User
- Index(es):
Relevant Pages
|
