Use repadmin to check the objects metadata, can usually find the DC where the deletion occured and also who did it.
The Active Directory forestry book by john craddock is an excellent resource for this type of AD audit. -----Original Message----- From: Tom Kern <[EMAIL PROTECTED]> Date: Tue, 10 Jan 2006 15:53:18 To:[email protected] Subject: Re: [ActiveDir] Strange deleted object issue It logged the creation/deletion. My question is- i've always had this policy set and yet an account got deleted last nite and i can't find any record of it. the security logs have not been cleared and are set to stay for 7 days. still i know a user account ended up in the deleted objects container with a whenChanged date of 20060109202458. someone/thing must have deleted it and there is no entry in the event logs of any DC. what gives? Thanks On 1/10/06, Coleman, Hunter <[EMAIL PROTECTED]> wrote: Create a user account, then delete it. Note which DC you're connected to for the delete, then check the security log on that DC. Look at all of the events around the time you deleted the account so that you'll know what is actually getting logged. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, January 10, 2006 1:23 PM To: [email protected] Subject: Re: [ActiveDir] Strange deleted object issue Yes. Thanks. I just have 2 issues. 1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects 2. Most importantly, i had audit account management enabled for sucess and failure on my domain controllers ou and auditing enabled for everyone for everything on the entire domain object, yet when i use evencombMT to scan for an event id 630 in the security log, i get nothing. this account was deleted last nite so something should show up with this auditing enabled, no? do i have to set some other security policy like audit directory service access as well? I figured account management should cover deleting a user object. Thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: I've deleted the rest of the thread already, but did you not already say you found him in the deleted items using ADFIND -showdel? Or did I misread that and you're still looking for him? On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote: I'm just using ADUC and searching by sAMAccountName. With LDP, i'm looking in Deleted Objects container but this company never deletes users accounts, just disables them indefinetly so all i see in that container are linkTrackOMTEntry objects. How can i see if the user was renamed? I got a call from help desk that this user couldn't log in and they couldn't find him in AD using ADUC which i confirmed. he's been witht the corp for 5 years and i was assured he always had an account. Thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: how do you know he's missing exactly? I mean, are you sure the account wasn't changed for example? Maybe renamed somehow? When you search, how are you searching exactly? On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote: I have this weird issue- A user object is missing from my win2k native mode domain. I know because this user has complained that he can't log in and i can't find the object anywhere in AD. I've checked the deleted objects container in AD with ldp and he is not in there as well. He's not in the Lost and Found container either. His exchange mailbox is oprhaned in ESM. Sometime last nite this user was deleted but i have no way of finding him. we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container. is there anyway to bypass that? where else can i look? Any help would be great because this is just plain bizzare. Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
