|
You might want to check for Event ID 630 on all your DC’s using eventcmb.
Here is a good article that list all the Event ID’s for specific account operations. http://www.rippletech.com/PDF/New/SOX/Auditing%20Best%20Practices.pdf
If you aren’t backing up your security event logs on your DC’s each night (Yes every DC) you are doing yourself a disservice. I recommend getting a tool that can consolidate your security event logs into one location so that you can run reports against. I have used Intrust from Quest/Aelita. Pretty good tool and easy to setup and use. There are a lot others out there though, some free some not so free.
Todd From: Mulnick, Al
[mailto:[EMAIL PROTECTED]
Is it possible that the accounts were deleted during the replication issues and are now being propagated?
Have you checked the deleted objects container to see if it exists there on any of the DC's (since replication was indicated, it might not hurt to check multiple DC's)?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer I only know because people come tell me that they loose connection to e-mail or they can’t login. Example: yesterday a user logged in the AM then by mid-morning couldn’t access his exchange account, having seen a few account disappear I did a search in AD and his account didn’t come up but his exchange account obviously still existed. Recreated the acoutn and re attached the Mailbox and he’s off and running again. If this we’re exchange I’d look at the SA and the Mailbox management tool ant the times they run to see if they we’re related but its not related to Exchange
Mike
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
How do you know when the accounts when missing?
Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard. You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 .
I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment.
Al
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant.
I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory.
Has anyone seen this or had accounts that just seem to vanish?
Thanks in advance.
Mike
|
- RE: [ActiveDir] Accounts disappearing from AD Myrick, Todd (NIH/CC/DNA)
