Collecting metadata may be more illuminating. You should be able to reconstruct at least some part of the changes to the object by looking at various attributes.
Piece of cake with repadmin /showobjmeta From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, February 20, 2014 10:07 AM To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled You can look at WhenChanged on the object to see the last time it was changed. Of course, if it has been enabled or otherwise touched, that will no longer be valid. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, February 20, 2014 12:58 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] who and when an AD user account disabled Their Security event log has already wrapped in the last 4 hours so I doubt I will be able to go back to December when they think the account was mysteriously disabled. Webster ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Christopher Bodnar <[email protected]<mailto:[email protected]>> Sent: Thursday, February 20, 2014 11:55 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] who and when an AD user account disabled If auditing of that is enabled, not sure what the default is... .yes. Event ID 4725 for user accounts in 2008. On 2003 it was 629. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<https://urldefense.proofpoint.com/v1/url?u=http://www.guardianlife.com/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0A&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0A&m=GQHBNum3anu9PBijAlRx0aRd89Vihepmk4tIk1PPiJg%3D%0A&s=a4410046fcb2c9e983b5bfcb9770360543534063b351282e35c651d812c881c9> From: Webster <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: 02/20/2014 12:46 PM Subject: [NTSysADM] who and when an AD user account disabled Sent by: [email protected]<mailto:[email protected]> ________________________________ Is it possible, using PoSH or another utility, to find out who disabled a user's account and when it happened? All DCs are 2008 R2 and DFL/FFL are both 2008 R2. Thanks Webster ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/
<<inline: image001.jpg>>
