Agree.
I'm not an expert but how weight does a possible "deletedtimestamp" attribute would take in the dit ?
MS has made available interesting attributes as whencreated, whenmodified, why not create some new one that stamp the deletion of an object or stamp the last owner that is the one who did the deletion ? This can be easily queried for fast reporting rather than using tools or scripts to query every DCs in a domain.
Cheers,
Yann
Al Mulnick <[EMAIL PROTECTED]> a écrit :
<raises hand>GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place.Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is.. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?)Al-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, October 14, 2005 11:03 AM
To: [email protected]
Subject: RE: [ActiveDir] Knowing when users were deleted.Correct, you can currenlty only get the when and the where (DC Where not Client Where).Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the "administrators group" nonsense, it points to a specific security principal.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO
Sent: Friday, October 14, 2005 3:18 AM
To: [email protected]
Subject: RE: [ActiveDir] Knowing when users were deleted.Hi Yann,You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted.
But as for who deleted - I dont think you can find it without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Group Support Engineer
InternationalSOS Pte Ltd
mail: [EMAIL PROTECTED]
phone: (+65) 6330-9740 - temp
From: Yann [mailto:[EMAIL PROTECTED]
Sent: Friday, October 14, 2005 2:57 PM
To: [email protected]
Subject: [ActiveDir] Knowing when users were deleted.Hi there,I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(So my boss urge me to find the guilty user AND the time of deletion.I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one.Any idea ?
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici !
