It gets logged in the security log of the domain controller. Once you turn on this logging, it's a lot of events for every action, so be careful to ensure that your event logs can handle it.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve rHelp/5658fae8-985f-48cc-b1bf-bd47dc210916.mspx Event ID 624 = Create Success Audit Entry Event ID 630 = Delete Success Audit Entry It would be a good idea to undo any changes you've made up until now to be sure you're not confusing anything. Also, remember that this is a GPO setting so you'll want to be sure it applied to the domain controllers. Eventtriggers.exe might be useful for tracking this if you don't have something moving your log files over to another format. al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, April 07, 2005 10:41 AM To: [email protected] Subject: RE: [ActiveDir] AD logging Yes I saw Eric's post, which does make sense; my real problem is I have accounts once a week for the past 2 months that literally disappears from AD... I have removed everyone but myself from all privileged groups; I've had all my admins reset passwords, I've made sure no scripts are running that would cause this to happen. I've even removed all logon scripts. I've never seen user accounts just disappear like this... So I set up a few test account then deleted them, I want to see where this gets logged to help me troubleshoot why other accounts see to just vanish?!?! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, April 07, 2005 6:13 AM To: [email protected] Subject: RE: [ActiveDir] AD logging Did you notice ~Eric's post? I have to ask again: Why not just use the GPO? What drove you to the NTDS registry settings? That bit is still not clear to me. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 5:42 PM To: [email protected] Subject: RE: [ActiveDir] AD logging Given the severity of the situation I set them all to 2 and have been watching the logs -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:50 PM To: [email protected] Subject: RE: [ActiveDir] AD logging Under diagnostics, there are many keys. Which one did you set? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 4:47 PM To: [email protected] Subject: RE: [ActiveDir] AD logging HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics The default GPO also has auditing set for the domain right now to audit success and failure for all objects. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, April 06, 2005 1:31 PM To: [email protected] Subject: RE: [ActiveDir] AD logging Which registry setting did you set? And why there? Why not via GPO around account auditing? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Wednesday, April 06, 2005 3:51 PM To: [email protected] Subject: [ActiveDir] AD logging Question, Hopefully this wont sound too newbie! Domain is 2003 native mode 6 domain controllers in 3 sites. I've turned up logging in the registry to a value of 2 on the server that holds the PDC Emulator role. I have also set success and failure auditing in the default domain GP on all objects. I created an account for testing then I deleted that account but I can't see a reference to the deletion anywhere? Where will I see a reference to the deletion? Wouldn't I find that in the Security log? Like I said sorry for the newbie question... Thanks in advance Mike List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
