Sounds like they need to add to your work scope to put into place some monitoring by upper level staff with no ability to change the monitored information. Well either that or hire someone else to come in and set that up, but I think you could do it. Jon From: [email protected] To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled Date: Fri, 21 Feb 2014 00:26:47 +0000
No. An employee was terminated and their account was supposed to be disabled immediately and the password reset. But, said terminated employee accessed systems at 7:30PM the next day. It wasn't until two days after termination that the account was disabled. Then on February 5th, someone changed several properties of the account. Now they are trying find out who the "who" is that did all this. Using the stuff Bob Free showed me, I was able to get them of history of all the changes made to the account since it was created included the changes made on the 5th. But unfortunately there is no "who" recorded in any of this. They were appreciative of what Bob showed me how to retrieve. Webster From: [email protected] <[email protected]> on behalf of Ken Schaefer <[email protected]> Sent: Thursday, February 20, 2014 4:40 PM To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled Surely someone raised an ticket or service request in some system somewhere? That would give you a starting point for isolating the date/time. And then whoever closed the ticket as being completed is probably the person that did the work. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Friday, 21 February 2014 6:23 AM To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled Probably a long shot, but any chance that they have backups of their DCs from December? It’s possible that a backup job caught the logs when this event still existed, and so you may be able to see who/when it was disabled. Alternatively, if this account happens to be used as a service account somewhere, perhaps the logs from that workstation/server may indicate when it stopped working and this may at least help illuminate when this problem started. -Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, February 20, 2014 9:58 AM To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled Their Security event log has already wrapped in the last 4 hours so I doubt I will be able to go back to December when they think the account was mysteriously disabled. Webster From: [email protected] <[email protected]> on behalf of Christopher Bodnar <[email protected]> Sent: Thursday, February 20, 2014 11:55 AM To: [email protected] Subject: Re: [NTSysADM] who and when an AD user account disabled If auditing of that is enabled, not sure what the default is... .yes. Event ID 4725 for user accounts in 2008. On 2003 it was 629. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected] The Guardian Life Insurance Company of America www.guardianlife.com From: Webster <[email protected]> To: "[email protected]" <[email protected]> Date: 02/20/2014 12:46 PM Subject: [NTSysADM] who and when an AD user account disabled Sent by: [email protected] Is it possible, using PoSH or another utility, to find out who disabled a user's account and when it happened? All DCs are 2008 R2 and DFL/FFL are both 2008 R2. Thanks Webster ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
<<inline: image001.jpg>>
