Yep, I have set that up many places but I have come into an environment that has five forests, 11 domains and numerous short-cut trusts setup and NO AD person on staff any longer. They have about two years worth of work for me to do in nine weeks (actually eight weeks and 1 day now)!
Webster ________________________________ From: [email protected] <[email protected]> on behalf of Christopher Bodnar <[email protected]> Sent: Thursday, February 20, 2014 12:07 PM To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled Also might want to take a look at this: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:_2_077AD8A0077AD4A00063835E85257C85] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: Christopher Bodnar <[email protected]> To: <[email protected]> Date: 02/20/2014 01:05 PM Subject: RE: [NTSysADM] who and when an AD user account disabled ________________________________ create an account and disable it while looking in the logs, that will tell if if it's enabled right now. if it's a big environment, you will need to look at all the DCs. but you are right, unless they are shipping the logs off, probably out of luck. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:_2_0D0B603C0D0B5C3C0063835E85257C85] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: Webster <[email protected]> To: "[email protected]" <[email protected]> Date: 02/20/2014 01:00 PM Subject: RE: [NTSysADM] who and when an AD user account disabled Sent by: [email protected] ________________________________ Their Security event log has already wrapped in the last 4 hours so I doubt I will be able to go back to December when they think the account was mysteriously disabled. Webster ________________________________ From: [email protected] <[email protected]> on behalf of Christopher Bodnar <[email protected]> Sent: Thursday, February 20, 2014 11:55 AM To: [email protected] Subject: Re: [NTSysADM] who and when an AD user account disabled If auditing of that is enabled, not sure what the default is... .yes. Event ID 4725 for user accounts in 2008. On 2003 it was 629. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:_2_0D0B8CB40D0B88B40063835E85257C85] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: Webster <[email protected]> To: "[email protected]" <[email protected]> Date: 02/20/2014 12:46 PM Subject: [NTSysADM] who and when an AD user account disabled Sent by: [email protected] ________________________________ Is it possible, using PoSH or another utility, to find out who disabled a user's account and when it happened? All DCs are 2008 R2 and DFL/FFL are both 2008 R2. Thanks Webster ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<inline: ATT00001.jpg>>
<<inline: ATT00002.jpg>>
<<inline: ATT00003.jpg>>
