create an account and disable it while looking in the logs, that will tell if if it's enabled right now. if it's a big environment, you will need to look at all the DCs.
but you are right, unless they are shipping the logs off, probably out of luck. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: Webster <[email protected]> To: "[email protected]" <[email protected]> Date: 02/20/2014 01:00 PM Subject: RE: [NTSysADM] who and when an AD user account disabled Sent by: [email protected] Their Security event log has already wrapped in the last 4 hours so I doubt I will be able to go back to December when they think the account was mysteriously disabled. Webster From: [email protected] <[email protected]> on behalf of Christopher Bodnar <[email protected]> Sent: Thursday, February 20, 2014 11:55 AM To: [email protected] Subject: Re: [NTSysADM] who and when an AD user account disabled If auditing of that is enabled, not sure what the default is... .yes. Event ID 4725 for user accounts in 2008. On 2003 it was 629. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: Webster <[email protected]> To: "[email protected]" <[email protected]> Date: 02/20/2014 12:46 PM Subject: [NTSysADM] who and when an AD user account disabled Sent by: [email protected] Is it possible, using PoSH or another utility, to find out who disabled a user's account and when it happened? All DCs are 2008 R2 and DFL/FFL are both 2008 R2. Thanks Webster ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<image/jpeg>>
<<image/jpeg>>
