Needle in a haystack

SieSie Member Posts: 1,195
in Off-Topic
Whats the easiest way to find which admin keeps removing a group for a specific user?

(Windows 2003 Domain Environment)
Foolproof systems don't take into account the ingenuity of fools
· Share on FacebookShare on Twitter

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    The built-in auditing of W2K3/AD doesn't include an easy way unfortunately. Third party products like Change Auditor make it easier.

    Event ID's like 632, 636, 640, 642 and 661 might help you narrow it down but you'll have to filter through a lot of noise to spot it.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • SieSie Member Posts: 1,195
    Unfortunatly it could have been done off a number of servers so I guess I will never know. icon_evil.gif

    Thank you for your reply thou!!
    Foolproof systems don't take into account the ingenuity of fools
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Don't you just hate rouge or incompetent admins? Are they doing it to mess with someone or just being stupid? icon_lol.gif

    You should see those on the DC's event logs if it was domain accounts involved. If you can give any more details of what's going on, maybe someone will have an idea on what to do.

    I was wondering, depending on the situation, if you could use Group Policy and restricted groups to help?
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    In addition to what Mark stated, the following url here talks about Auditing for Account Management (which is enabled by default for Success on the Default Domain Controllers Policy). It will show you all the event ids associated with auditing Account Management.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
    · Share on FacebookShare on Twitter
  • SieSie Member Posts: 1,195
    Someone keeps removing Admin group from one of my logins, no idea why however.

    Thats why i wanted to find out who was doing it.

    Problem is its usually something like:

    I use the account and its fine.

    ...Two days pass...

    I use the account and its missing the group.

    So i have no idea where in that two days the group is removed.

    Think im onto a loosing battle just wanted to find out who it was and find out why!! icon_confused.gif

    [Edit - Just saw your post mate will check that link cheers]
    [Edit 2 - Just filtered Sec log by User who i think it may be pulled that off server now just have to go through all events..... sleeping.gif so i can filter by user who did x,y and z anyone know how to filter by What x,y and z did to user?]

    What i mean is i can see if user A changed user B & User C
    but what i want is
    To see everyone who changed User A.
    Foolproof systems don't take into account the ingenuity of fools
    · Share on FacebookShare on Twitter
Sign In or Register to comment.