Web- Glad it helped.
We run Change Auditor here, sounds like they definitely don’t have it configured right as it’s whole purpose is to tell you the who-when-what-where info of a given change. I don’t think the how is necessarily possible because of how the product works but the who/where could possibly allow you to surmise that info. We have a case open now for something that isn’t capturing the way we want from a foreign provisioning system but it’s been getting the basic data for a long time now. If you are willing to suffer the database size, you can store awful lot of history on your objects. Kind of cool to pull it out sometimes when people won’t fess up to things and give them multiple years of history for a given object. --bob From: [email protected] [mailto:[email protected]] On Behalf Of Webster Sent: Tuesday, March 04, 2014 9:38 AM To: [email protected] Subject: RE: [NTSysADM] who and when an AD user account disabled Bob, Just had to use this again to find a service account whose password was changed. They do have change control and they are using a product named Change Auditor BUT this product is not capturing who is changing passwords, when a pwd was changed, from which DC a pwd was changed or how the pwd was changed (ADUC, PoSH, cli [don't know if that is even possible to record]). This command is showing them when a pwd was changed and from what DC the change originated but nothing else. I think they need to call support for this Change Auditor product. Thanks (again) Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<https://urldefense.proofpoint.com/v1/url?u=http://www.carlwebster.com/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0A&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0A&m=7MVpvtiHblPbeMSVB7ViJ2Ai63p0qa83Sl14mACaPGI%3D%0A&s=fde9ecf661f6d53521a37414e842c5ba0baa0ed2c9170e4e520eca196837d5a6> ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Free, Bob <[email protected]<mailto:[email protected]>> Sent: Thursday, February 20, 2014 12:40 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] who and when an AD user account disabled Collecting metadata may be more illuminating. You should be able to reconstruct at least some part of the changes to the object by looking at various attributes. Piece of cake with repadmin /showobjmeta From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, February 20, 2014 10:07 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] who and when an AD user account disabled You can look at WhenChanged on the object to see the last time it was changed. Of course, if it has been enabled or otherwise touched, that will no longer be valid. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, February 20, 2014 12:58 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] who and when an AD user account disabled Their Security event log has already wrapped in the last 4 hours so I doubt I will be able to go back to December when they think the account was mysteriously disabled. Webster ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> on behalf of Christopher Bodnar <[email protected]<mailto:[email protected]>> Sent: Thursday, February 20, 2014 11:55 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] who and when an AD user account disabled If auditing of that is enabled, not sure what the default is... .yes. Event ID 4725 for user accounts in 2008. On 2003 it was 629. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<https://urldefense.proofpoint.com/v1/url?u=http://www.guardianlife.com/&k=4%2BViHuL0UtSJBpVrYi3EdQ%3D%3D%0A&r=Jek3QSvahmIrNAN1nuPfQA%3D%3D%0A&m=GQHBNum3anu9PBijAlRx0aRd89Vihepmk4tIk1PPiJg%3D%0A&s=a4410046fcb2c9e983b5bfcb9770360543534063b351282e35c651d812c881c9> From: Webster <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: 02/20/2014 12:46 PM Subject: [NTSysADM] who and when an AD user account disabled Sent by: [email protected]<mailto:[email protected]> ________________________________ Is it possible, using PoSH or another utility, to find out who disabled a user's account and when it happened? All DCs are 2008 R2 and DFL/FFL are both 2008 R2. Thanks Webster ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/ ________________________________ PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/
<<inline: image001.jpg>>
