Re: Unexplained User Account Deletion

Joe,

Thanks for replying. I did not mean for you to take the 'modified
GUID' statement literally, however I am referring to the DEL: appended
to the beginning of the GUID when generated in the event.

Moving on, in your experience, have you seen the issue i've described
or can you provide a viable explanation as to why this may have
occurred?

Joe Richards [MVP] wrote:
What you mean generates a modified GUID? The object GUID does not change
during a "delete", it is maintained through the tombstone process.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


michael_gore718@xxxxxxxxx wrote:
So here's an iffy one. Turns out a user account was deleted and
everything is pointing towards me. However I don't recall deleting the

account, then confirming the deletion, and confirming the deletion of
the associated mailbox. Heres the info from the Event logs, the header

is the same for both events:

Header>>


Date: 12/13/06
Source: Security
Time: 4:18:35 PM
Category: Account Mgmt
Type: Success A
Event ID: 630


This is the event in question>>


User Account Deleted:
Target Account Name: User1
Target Domain: DOMAIN
Target Account ID: DOMAIN\User1
Caller User Name: admin
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x64390BE)
Privileges: -


Here is the account I was working on at the time>>


User Account Deleted:
Target Account Name: User2
Target Domain: DOMAIN
Target Account ID: User2
DEL:d006b3a0-09de-45f2-8393-ba47246b8ea8
Caller User Name: admin
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x64390BE)
Privileges:


Right off the back i'm sure you can tell that something is missing.
WHERE IS THE GUID? It's been my experience that a deleted account
generates a modified GUID. Im not sure why the GUID was not generated
in the event. Can anyone explain this?


Another bit of information, the two events were timestamped for exactly

4:18:35 PM. Any help on this will be appreciated.


.

Relevant Pages

  • Re: Security Event Id 552
    ... Also search the registry for the GUID in event log ... Administrator account doesn't appear in the SBSUsers folder since we renamed ... Target User Name: Guest ...
    (microsoft.public.windows.server.sbs)
  • Re: Unexplained User Account Deletion
    ... The object GUID does not change during a "delete", it is maintained through the tombstone process. ... Category: Account Mgmt ... Target Account Name: User1 ... Caller User Name: admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unexplained User Account Deletion
    ... event log is at the heart of the problem in light of the fact that the ... GUID' statement literally, however I am referring to the DEL: ... Category: Account Mgmt ... Target Account Name: User1 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unexplained User Account Deletion
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... GUID' statement literally, however I am referring to the DEL: ... Category: Account Mgmt ... Target Account Name: User1 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Account management audit
    ... When I use Account Management ... then go look in my Security log I should see a 642 (user account changed) ... Target Account Name ... changed the password and the 'Caller User Name' being me, ...
    (microsoft.public.win2000.active_directory)