Re: Unexplained User Account Deletion
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Mon, 18 Dec 2006 18:36:03 -0500
I have not ever seen a case where you delete one ID and two IDs get deleted. It is possible the GUI could screw up but unlikely if you are talking about ADUC as I would expect to hear a lot of that as I indirectly support millions of users through work and indirectly support multi-millions through joeware questions and newsgroups.
As for the events and how they come in, I don't really study the event logs, I don't much care for the whole system. What I tend to do for work is put provisioning tools into place and no one really manages AD directly, they request things through the tool and everything is logged that way.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
zexmarquis wrote:
Joe,.
Thanks for replying. I did not mean for you to take the 'modified
GUID' statement literally, however I am referring to the DEL: appended
to the beginning of the GUID when generated in the event.
Moving on, in your experience, have you seen the issue i've described
or can you provide a viable explanation as to why this may have
occurred?
Joe Richards [MVP] wrote:What you mean generates a modified GUID? The object GUID does not change
during a "delete", it is maintained through the tombstone process.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
michael_gore718@xxxxxxxxx wrote:So here's an iffy one. Turns out a user account was deleted and
everything is pointing towards me. However I don't recall deleting the
account, then confirming the deletion, and confirming the deletion of
the associated mailbox. Heres the info from the Event logs, the header
is the same for both events:
Header>>
Date: 12/13/06
Source: Security
Time: 4:18:35 PM
Category: Account Mgmt
Type: Success A
Event ID: 630
This is the event in question>>
User Account Deleted:
Target Account Name: User1
Target Domain: DOMAIN
Target Account ID: DOMAIN\User1
Caller User Name: admin
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x64390BE)
Privileges: -
Here is the account I was working on at the time>>
User Account Deleted:
Target Account Name: User2
Target Domain: DOMAIN
Target Account ID: User2
DEL:d006b3a0-09de-45f2-8393-ba47246b8ea8
Caller User Name: admin
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x64390BE)
Privileges:
Right off the back i'm sure you can tell that something is missing.
WHERE IS THE GUID? It's been my experience that a deleted account
generates a modified GUID. Im not sure why the GUID was not generated
in the event. Can anyone explain this?
Another bit of information, the two events were timestamped for exactly
4:18:35 PM. Any help on this will be appreciated.
- Follow-Ups:
- Re: Unexplained User Account Deletion
- From: zexmarquis
- Re: Unexplained User Account Deletion
- References:
- Unexplained User Account Deletion
- From: michael_gore718
- Re: Unexplained User Account Deletion
- From: Joe Richards [MVP]
- Re: Unexplained User Account Deletion
- From: zexmarquis
- Unexplained User Account Deletion
- Prev by Date: Re: Audit Domain Administrator User Login
- Next by Date: Re: Unique User Account Across Forest
- Previous by thread: Re: Unexplained User Account Deletion
- Next by thread: Re: Unexplained User Account Deletion
- Index(es):
Relevant Pages
|
