|
I wouldn't be straying near any open garage doors if I were
you :-]
Ah the infamous
changing the syntax of a utility issue. Who would do
that?
:op
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe
Sent: Wednesday, January 11, 2006 6:27
PM
To: [email protected]
Subject: RE: [ActiveDir] Strange deleted
object issue
That should work in any
version of AD since release, the metadata has been there. However note that that
version of the command didn't exist in earlier versions of repadmin, you instead
used repadmin /showmeta which has a different ordering of parameters. I don't
recall why that was done but I recall that there was some good reason for it
even if it was someone thought it was better/more consistent that way.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of TIROA
YANN
Sent: Wednesday, January
11, 2006 6:37 PM
To:
[email protected]
Subject: RE : [ActiveDir] Strange
deleted object issue
When I said in my previous post "...Not sure if that works but i am in w2k3 FFL
mode...", it was rather "...Not sure if the switch / /showobjmeta works in w2k forest because it works in
w2k3...".
So you
confirm that it also works in w2k forest.
Yann
De:
[EMAIL PROTECTED] de la part de Tom Kern
Date: mer. 11/01/2006 17:40
À: [email protected]
Objet : Re: [ActiveDir] Strange deleted
object issue
On 1/11/06, TIROA YANN <[EMAIL PROTECTED]>
wrote:
Not sure if that works but i am in w2k3 FFL mode. *BUT*
when i tried with the repadmin /showmeta switch, it shows me
the same error as you.
So you would try to install the
adminpak.msi for w2k3 in your windows XP box, because the repadmin
/showobjmeta is only available in the w2k3 adminpak.msi . Then try again
the process.
Try it and let me know if that
works.
Yann
De : [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] De la part de Tom
Kern
Envoyé : mercredi 11 janvier 2006
16:00
Yann, does this command work against a win2k
forest?
When i run it against any DC in my forest, i get a
.
C:\repadmin
/showmeta opnyc10.mydomain.com
"CN=YIPJ\
0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=Deleted
Objects,DC=mydomain,DC=com"
DsBindWithCred to
CN=YIPJ\0ADEL:f9eeaf3f-07f6-43d2-9a00-22923bef2fcb,CN=Deleted
Objects,DC=mydomain,DC=com
failed with status 1722 (0x6ba):
The RPC server is
unavailable.
Thanks
On 1/11/06, Tom Kern <[EMAIL PROTECTED]> wrote:
Brian, I apologize for being so grammatically and
syntactically cavalier with my posts to this
list.
If a dangling participle, split infinitive,or misspelled
word has offended you, you have my sincerest regret and I promise to work on
being a bit more diligent on that matter.
If it helps any, by way of explanation, I usually write
most of my posts from home while chasing after 2
kids.
I can never seem to find the time to post from work or a
more quiet place.
But I'm sure that's more information than you or the
list has needed to know....
By "everyone", I mean I have enabled "Audit account
management" policy and I'm auditing user object creation/deletion for the
"everyone" well know security principle.
On 1/11/06, TIROA YANN <[EMAIL PROTECTED] > wrote:
Hi Tom, i used the
following:
if the user yann is deleted from
AD:
1) adfind -default -showdel -f
isdeleted=TRUE -gc > del.txt to list all deleted users in del.txt (the
-gc query the GCs, i found it much faster to query gcs than dcs).
2) search for your user yann and
pickup it's DN "CN=yann\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr".
3) type repadmin
/showobjmeta MYDC
"CN=dac\0ADEL:2a299250-27ea-4a05-bdf7-5ca9558ff733,CN=Deleted
Objects,DC=univ-lyon1,DC=fr" | find /i "isdeleted" to localize the DC in
which the deletion occured.
Ex: here is the result of the
command: 17730966 MYSITE\MYDC 17730966 2005-10-27 10:37:11 1
isDeleted
You can see that the deletion
occured at 10:37:11 AM the 2005-10-27 on the DC
"MYDC".
4) you can then use psloglist
\\MYDC security -i 630 -a 10/27/05 which shows u all deleted accounts
occured before the 10/27/05, or connect to MYDC to search in the event security
log.
If you can not find your
user at the time, it may be that an other domain admin has disabled the
policy account applied by default, so you may see with your peers to confirm
this.
hope it
helps
De : [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] De la
part de Tom Kern
Envoyé : mercredi 11 janvier 2006
01:24
À : [email protected]
Objet : Re: [ActiveDir] Strange
deleted object issue
You have to restore(reanimate) the object from the
Deleted Objects container back into AD to run repadmin /showmeta GUID.....
otherwise it won't work.
Besides this won't help me figure out who deleted it or
why the audit wasn't logged.
p.s.- i have the Forestry book and think its great and
well worth the hefty price.
On 1/10/06, Mark Parris < [EMAIL PROTECTED]
> wrote:
If I recall, he reset the permissions on the
ou/container which holds the deleted objects then you could query it with out
reanimating anything.
-----Original Message-----
From: Tom Kern <[EMAIL PROTECTED]>
Date:
Tue, 10 Jan 2006 17:03:11
To:[email protected]
Subject: Re: [ActiveDir]
Strange deleted object issue
I thought to do that you first have to
reanimate the object from the Deleted Objects container before you can search on
the GUID.
The deletion occured in a Win2k forest. I think what you are
talking about you can only do in a WIn2k3 DFL forest.
Besides, that will
only tell me the DC and time the isDeleted attrib was set. It wont tell me the
user or process that deleted it.
thats what i really need and as my DC's seem
to mysteriously stopped logging event id 630 or 565, i'm screwed.
thanks alot
On 1/10/06, Mark Parris <[EMAIL PROTECTED]> wrote: Use repadmin to check the
objects metadata, can usually find the DC where the deletion occured and also
who did it.
The Active Directory forestry book by john craddock is an
excellent resource for this type of AD audit.
-----Original
Message-----
From: Tom Kern < [EMAIL PROTECTED] >
Date: Tue, 10 Jan 2006 15:53:18
To:[email protected]
Subject: Re: [ActiveDir]
Strange deleted object issue
It logged the creation/deletion.
My
question is- i've always had this policy set and yet an account got deleted last
nite and i can't find any record of it.
the security logs have not been
cleared and are set to stay for 7 days.
still i know a user account
ended up in the deleted objects container with a whenChanged date of
20060109202458.
someone/thing must have deleted it and there is no entry
in the event logs of any DC.
what gives?
Thanks
On
1/10/06, Coleman, Hunter <[EMAIL PROTECTED] > wrote:
Create a user account, then
delete it. Note which DC you're connected to for the delete, then check the
security log on that DC. Look at all of the events around the time you deleted
the account so that you'll know what is actually getting logged.
From:
[EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Tuesday, January 10, 2006 1:23 PM
To: [email protected]
Subject: Re: [ActiveDir]
Strange deleted object issue
Yes.
Thanks.
I just have
2 issues.
1. I don't understand why i get that error in ldp when i enter
the oid control for deleted objects
2. Most importantly, i had audit
account management enabled for sucess and failure on my domain controllers ou
and auditing enabled for everyone for everything on the entire domain object,
yet when i use evencombMT to scan for an event id 630 in the security log, i get
nothing.
this account was deleted last nite so something should show up
with this auditing enabled, no?
do i have to set some other security
policy like audit directory service access as well?
I figured account
management should cover deleting a user object.
Thanks
On
1/10/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
I've deleted the rest of the
thread already, but did you not already say you found him in the deleted items
using ADFIND -showdel?
Or did I misread that and you're still looking
for him?
On 1/10/06, Tom Kern <[EMAIL PROTECTED] >
wrote:
I'm just using ADUC and searching by sAMAccountName.
With LDP, i'm
looking in Deleted Objects container but this company never deletes users
accounts, just disables them indefinetly so all i see in that container are
linkTrackOMTEntry objects.
How can i see if the user was renamed?
I got a call from help desk that this user couldn't log in and they
couldn't find him in AD using ADUC which i confirmed.
he's been witht the
corp for 5 years and i was assured he always had an account.
Thanks
On 1/10/06, Al Mulnick <[EMAIL PROTECTED]>
wrote:
how do you know he's missing exactly? I mean, are you sure
the account wasn't changed for example? Maybe renamed somehow?
When you search, how are you searching
exactly?
On 1/10/06, Tom Kern <[EMAIL PROTECTED] >
wrote:
I have this weird issue-
A user object is missing from my win2k
native mode domain.
I know because this user has complained that he can't
log in and i can't find the object anywhere in AD.
I've checked the
deleted objects container in AD with ldp and he is not in there as well.
He's
not in the Lost and Found container either.
His exchange mailbox is
oprhaned in ESM.
Sometime last nite this user was deleted but i have no
way of finding him. we don't have auditing turned on for that but i
figured if an object was deleted it would definetely be in the deleted objects
container.
is there anyway to bypass that?
where else can i
look?
Any help would be great because this is just plain
bizzare.
Thanks
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List
info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
-------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE-------
PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or
any attachments. This information is strictly confidential and may be subject to
attorney-client privilege. This message is intended only for the use of the
named addressee. If you are not the intended recipient of this message,
unauthorized forwarding, printing, copying, distribution, or using such
information is strictly prohibited and may be unlawful. If you have received
this in error, you should kindly notify the sender by reply e-mail and
immediately destroy this message. Unauthorized interception of this e-mail is a
violation of federal criminal law. Applebee's International, Inc. reserves the
right to monitor and review the content of all messages sent to and from this
e-mail address. Messages sent to or from this e-mail address may be stored on
the Applebee's International, Inc. e-mail system.
|
