RE: [ActiveDir] User account deletion
As opposed to??? If you think the deletion occurred within the tombstone lifetime period, you can query the deleted objects container for the user. You can do that with LDP or adfind. With LDP you check in the control, with adfind you add -showdel and make sure you have perms to see into the DO container, by default, admin rights. If outside of TSL you will need auditing or the user's GUID. If you have the old GUID you can search for it and if it isn't there, it was deleted. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 8:34 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris
Re: [ActiveDir] User account deletion
Chris Pohlschneider wrote: Is there a way to tell if a user account has been deleted? Active Directory Users computers, ADSIEDit.exe, ldp.exe, adfind.exe - couple more. Repadmin.exe also can be used. -- Tomasz Onyszko http://www.w2k.pl/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] User account deletion
by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] User account deletion
>From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events.On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
Re: [ActiveDir] User account deletion
Just an FYI, this event will only be on the DC that the user was connected to when they deleted the account, it won't show up on all DCs, so this could be a relatively daunting task, mattering on your environment (or impossible, if your event logs roll over frequently and you don't save them off to another server or have software that saves them) On 10/6/06, Matt Hargraves [EMAIL PROTECTED] wrote: >From Microsoft's website: Event ID: 630 Type: Success AuditDescription: User Account Deleted: Target Account Name: %1Target Domain: %2 Target Account ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7Check the security logs on your DCs for 630 events. On 10/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: by, you really cannot find it anymore when querying AD ;-) jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris PohlschneiderSent: Friday, October 06, 2006 14:34To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User account deletion Is there a way to tell if a user account has been deleted? Thanks, Chris This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
