Another possibility is the pure scripting way ... and leverage WMI
with two event WQL queries:
1/
Select * From __InstanceDeletionEvent Within 60 Where
TargetInstance ISA "ds_user"
2/
Select * From __InstanceCreationEvent Where TargetInstance ISA
"Win32_NTLogEvent"And TargetInstance.Logfile = "Audit"
You can use a logic similar to Sample 3.54 - GroupMonitor.wsf (at
http://www.lissware.net, volume 2) but
just need to adapt it to users.
The same reasoning can be used to monitor FSMO role changes
(Sample 3.55 and Sample 3.56 - FSMOMonitor.wsf).
These two scripts send an email containing info about the modified
object.
Tweak them to meet your requirements with the WQL queries 1/ and
2/.
You can download the script freely from my
site.
Enable object access auditing and you can eventually run the
script as a Windows Service (yes) on the DC.Then you are all
set!
You can watch the web cast at http://go.microsoft.com/fwlink/?LinkId=39643 where
I explain how to run scripts as Windows service with the right security
context.
HTH.
/Alain
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Friday, October 14, 2005 8:18 AM
To: [email protected]
Subject: RE: [ActiveDir] Knowing when users were deleted.
Hi Freddy,
The information you gave rocks !
I did not think using the Last modified date attribute and
query it with the magic joe's tool :
-> "adfind -default -showdel -f isdeleted=TRUE"
It saves my job ! :)
The security audit is now configured and on.
Thanks for your help.
Yann
Freddy HARTONO <[EMAIL PROTECTED]> a écrit :
Freddy HARTONO <[EMAIL PROTECTED]> a écrit :
Hi Yann,You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted.
But as for who deleted - I dont think you can find it without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9740 - temp
From: Yann [mailto:[EMAIL PROTECTED]
Sent: Friday, October 14, 2005 2:57 PM
To: [email protected]
Subject: [ActiveDir] Knowing when users were deleted.Hi there,I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(So my boss urge me to find the guilty user AND the time of deletion.I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one.Any idea ?
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
