A few more goodies if you want to go this route. ElSave allows you to save and clear an event log, http://www.ibt.ku.dk/jesper/ELSave/ LogParserLizard, it's a gui for LogParser
Here's what you'd type on the cmd line on a server to get what you want, logparser -i:EVT -o:CSV -stats:OFF "SELECT * FROM Security where eventid = '630'" >> tmp.csv Then you can clean the csv like this, logparser -i:CSV -o:CSV -stats:OFF -e:-1 -q:ON "SELECT DISTINCT EXTRACT_TOKEN(Strings, 10, '|') AS User FROM tmp.csv > parsed.csv Not sure if '10' will be the right position (I doubt it), just open the CSV file and see what fields are there and which ones you want. Thanks, Jake Gardner TTC Network Administrator Ext. 246 -----Original Message----- From: Thomas Mullins [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2008 10:08 AM To: NT System Admin Issues Subject: RE: How to monitor deletion of user accounts Thanks Jake, That looks like just the trick. Shane -----Original Message----- From: Jake Gardner [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2008 9:44 AM To: NT System Admin Issues Subject: RE: How to monitor deletion of user accounts You could use LogParser http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4 c25-91b2-f8d975cf8c07&displaylang=en It can grab EventViewer logs and you can parse it SQL style. Script it and loop through your DC's, then dump the data pretty much anywhere you want. Thanks, Jake Gardner TTC Network Administrator Ext. 246 -----Original Message----- From: Thomas Mullins [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 05, 2008 9:39 AM To: NT System Admin Issues Subject: How to monitor deletion of user accounts Any thoughts on how to monitor the deletion of user accounts? I know to look for event code 630 in the security log, but this gets cumbersome across multiple domain controllers. I was thinking about trying to have the DC's log this information to a Cisco Mars box. If anyone has any info to share, it would be greatly appreciated. Thanks Shane ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ***Teletronics Technology Corporation*** This e-mail is confidential and may also be privileged. If you are not the addressee or authorized by the addressee to receive this e-mail, you may not disclose, copy, distribute, or use this e-mail. If you have received this e-mail in error, please notify the sender immediately by reply e-mail or by telephone at 267-352-2020 and destroy this message and any copies. Thank you. ******************************************************************* ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
