Unexplained User Account Deletion
- From: michael_gore718@xxxxxxxxx
- Date: 15 Dec 2006 10:00:04 -0800
So here's an iffy one. Turns out a user account was deleted and
everything is pointing towards me. However I don't recall deleting the
account, then confirming the deletion, and confirming the deletion of
the associated mailbox. Heres the info from the Event logs, the header
is the same for both events:
Header>>
Date: 12/13/06
Source: Security
Time: 4:18:35 PM
Category: Account Mgmt
Type: Success A
Event ID: 630
This is the event in question>>
User Account Deleted:
Target Account Name: User1
Target Domain: DOMAIN
Target Account ID: DOMAIN\User1
Caller User Name: admin
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x64390BE)
Privileges: -
Here is the account I was working on at the time>>
User Account Deleted:
Target Account Name: User2
Target Domain: DOMAIN
Target Account ID: User2
DEL:d006b3a0-09de-45f2-8393-ba47246b8ea8
Caller User Name: admin
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x64390BE)
Privileges:
Right off the back i'm sure you can tell that something is missing.
WHERE IS THE GUID? It's been my experience that a deleted account
generates a modified GUID. Im not sure why the GUID was not generated
in the event. Can anyone explain this?
Another bit of information, the two events were timestamped for exactly
4:18:35 PM. Any help on this will be appreciated.
.
- Follow-Ups:
- Re: Unexplained User Account Deletion
- From: Joe Richards [MVP]
- Re: Unexplained User Account Deletion
- Prev by Date: Re: Computer Account
- Next by Date: Binding to ADAM as Authenticated User
- Previous by thread: Esoteric questions
- Next by thread: Re: Unexplained User Account Deletion
- Index(es):
Relevant Pages
|
