1

From Windows Active Directory Users and Groups. I can see when a user or group was modified. From System Internals I can also see when it was created. Is there a way to tell what User created the object or what user or process actually disabled it?

In this particular case it was created over a year ago, and last modified a few weeks ago.

Rowan Hawkins
  • 620
  • 4
  • 18
  • Do you have AD change auditing enabled and are collecting the event log events? If not you may be out of luck. – Greg Askew Oct 02 '20 at 13:23
  • So this would have to checked from the the DC that handled the request on either state change if change auditing is enabled? – Rowan Hawkins Oct 02 '20 at 13:30
  • 1
    On the DC, enter the following command: `auditpol /get /category:*` . Of course if you don't know if you are archiving events or where they are located, even if auditing is enabled the event may be lost. – Greg Askew Oct 02 '20 at 13:57
  • @GregAskew Can you throw your two comments into an answer so I can approve it? I wont be able to take it farther at my current company and at least this way another person visiting the site will be able to quickly check if the logging is enabled. I don't have RDP to DC level access and don't feel it is worth getting someone else to check on the multiple DC's we have in operation for the account in question. Then I'll Bump both answers for being helpful. – Rowan Hawkins Oct 02 '20 at 14:39
  • 1
    Here's a methid if you don't have a log forwarding solution in place, but directory change auditing is enabled: look at the metadata for the object in question (using dsquery, adfind, PowerShell, etc) and note the oldest timestamp and originating DC name. Go to the security log on that DC at that exact time and you'll find your creation event. This tip also works for finding out who modified a specific attribute on an object (as long as the appropriate auditing is enabled). – twconnell Oct 03 '20 at 10:04

1 Answers1

0

You need to enable audit logging in the security settings and scan for events

The Subject* keys tell you the account that requested the change.

There are some more event logs you should watch, I'm not going to list them here. You'll find a comprehensive list here:

Daniel
  • 6,940
  • 6
  • 33
  • 64