Tom- Account Management auditing is on or off. What are yout talking about that it's on for "Everyone". You know it would help if you woked on the simple things like capitalization, spelling, and sentence structure. I find I have to read your messages two or three times and really while I enjoy reading and replying to everythign on this list, I tend to feel like my time is being wasted if I have to read a message multiple times to understand it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 1/10/2006 9:39 PM To: [email protected] Subject: Re: [ActiveDir] Strange deleted object issue I'm saying all dc's are logging security events for days but none have a log of object deletion or creation. EVER, except- just a few hrs ago when i created/deleted a test user was the first time i saw such a log(eventid 630). before that time, there were only logon security events even though Audit account management had been set months ago. and auditing for "Everyone" for acoount creation/deletion had also been set up. the timestamp of the object deletion was last nite(1/9 at 8:42pm). However this has not been recorded on any dc in the domain. i never set up auditing for policy changes so i would never know if someone changed the gpo and deleted the account and then turned it back on. I find it strange and unreasonable that you would have auditing set up for account management and not see a log when an account had been deleted or created either. thats why i'm thinking something more troublesome is going on(like someone changing the policy). I don't know what else to think.... thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: Stopped logging the events? How so? You mention that each DC has a log of similar events going back days and that it handles the events now when you test it. How did it selectively not log one account being deleted? Is it possible it was done prior to the dates you're looking at? Is it possible the event logs were cleared during the time that it occurred? Is it possible you have to go to tape backup to see the event? I'm having a hard time believing it would selectively not log the event. Also, if you're logging for everything (I can't tell what you're auditing for from here of course) then are you logging for GPO changes? You would see a change in the log at that time if somebody messed with the audit policy. I'm having a hard time believing something occured without a security context at that point in time. If you have not already, save off all logs before they get overwritten. You may need them later. :) Also, since you have a time stamp of the time it was changed (you do don't you?) then you shouold be able to focus on those times across all DC's to see exactly what was going on at that time. Al On 1/10/06, Tom Kern <[EMAIL PROTECTED]> wrote: I thought to do that you first have to reanimate the object from the Deleted Objects container before you can search on the GUID. The deletion occured in a Win2k forest. I think what you are talking about you can only do in a WIn2k3 DFL forest. Besides, that will only tell me the DC and time the isDeleted attrib was set. It wont tell me the user or process that deleted it. thats what i really need and as my DC's seem to mysteriously stopped logging event id 630 or 565, i'm screwed. thanks alot On 1/10/06, Mark Parris <[EMAIL PROTECTED] > wrote: Use repadmin to check the objects metadata, can usually find the DC where the deletion occured and also who did it. The Active Directory forestry book by john craddock is an excellent resource for this type of AD audit. -----Original Message----- From: Tom Kern < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > Date: Tue, 10 Jan 2006 15:53:18 To:[email protected] Subject: Re: [ActiveDir] Strange deleted object issue It logged the creation/deletion. My question is- i've always had this policy set and yet an account got deleted last nite and i can't find any record of it. the security logs have not been cleared and are set to stay for 7 days. still i know a user account ended up in the deleted objects container with a whenChanged date of 20060109202458. someone/thing must have deleted it and there is no entry in the event logs of any DC. what gives? Thanks On 1/10/06, Coleman, Hunter <[EMAIL PROTECTED] > wrote: Create a user account, then delete it. Note which DC you're connected to for the delete, then check the security log on that DC. Look at all of the events around the time you deleted the account so that you'll know what is actually getting logged. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, January 10, 2006 1:23 PM To: [email protected] Subject: Re: [ActiveDir] Strange deleted object issue Yes. Thanks. I just have 2 issues. 1. I don't understand why i get that error in ldp when i enter the oid control for deleted objects 2. Most importantly, i had audit account management enabled for sucess and failure on my domain controllers ou and auditing enabled for everyone for everything on the entire domain object, yet when i use evencombMT to scan for an event id 630 in the security log, i get nothing. this account was deleted last nite so something should show up with this auditing enabled, no? do i have to set some other security policy like audit directory service access as well? I figured account management should cover deleting a user object. Thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: I've deleted the rest of the thread already, but did you not already say you found him in the deleted items using ADFIND -showdel? Or did I misread that and you're still looking for him? On 1/10/06, Tom Kern <[EMAIL PROTECTED] > wrote: I'm just using ADUC and searching by sAMAccountName. With LDP, i'm looking in Deleted Objects container but this company never deletes users accounts, just disables them indefinetly so all i see in that container are linkTrackOMTEntry objects. How can i see if the user was renamed? I got a call from help desk that this user couldn't log in and they couldn't find him in AD using ADUC which i confirmed. he's been witht the corp for 5 years and i was assured he always had an account. Thanks On 1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote: how do you know he's missing exactly? I mean, are you sure the account wasn't changed for example? Maybe renamed somehow? When you search, how are you searching exactly? On 1/10/06, Tom Kern <[EMAIL PROTECTED] > wrote: I have this weird issue- A user object is missing from my win2k native mode domain. I know because this user has complained that he can't log in and i can't find the object anywhere in AD. I've checked the deleted objects container in AD with ldp and he is not in there as well. He's not in the Lost and Found container either. His exchange mailbox is oprhaned in ESM. Sometime last nite this user was deleted but i have no way of finding him. we don't have auditing turned on for that but i figured if an object was deleted it would definetely be in the deleted objects container. is there anyway to bypass that? where else can i look? Any help would be great because this is just plain bizzare. Thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
