Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Discussions
Off Topic
Needle in a haystack
Sie
Whats the easiest way to find which admin keeps removing a group for a specific user?
(Windows 2003 Domain Environment)
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
sprkymrk
The built-in auditing of W2K3/AD doesn't include an easy way unfortunately. Third party products like Change Auditor make it easier.
Event ID's like 632, 636, 640, 642 and 661 might help you narrow it down but you'll have to filter through a lot of noise to spot it.
Sie
Unfortunatly it could have been done off a number of servers so I guess I will never know.
Thank you for your reply thou!!
sprkymrk
Don't you just hate rouge or incompetent admins? Are they doing it to mess with someone or just being stupid?
You should see those on the DC's event logs if it was domain accounts involved. If you can give any more details of what's going on, maybe someone will have an idea on what to do.
I was wondering, depending on the situation, if you could use Group Policy and restricted groups to help?
royal
In addition to what Mark stated, the following url
here
talks about Auditing for Account Management (which is enabled by default for Success on the Default Domain Controllers Policy). It will show you all the event ids associated with auditing Account Management.
Sie
Someone keeps removing Admin group from one of my logins, no idea why however.
Thats why i wanted to find out who was doing it.
Problem is its usually something like:
I use the account and its fine.
...Two days pass...
I use the account and its missing the group.
So i have no idea where in that two days the group is removed.
Think im onto a loosing battle just wanted to find out who it was and find out why!!
[Edit - Just saw your post mate will check that link cheers]
[Edit 2 - Just filtered Sec log by User who i think it may be pulled that off server now just have to go through all events.....
so i can filter by user who did x,y and z anyone know how to filter by What x,y and z did to user?]
What i mean is i can see if user A changed user B & User C
but what i want is
To see everyone who changed User A.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
