+ Post New Thread
Results 1 to 11 of 11
Windows Thread, User account disabled - who did it? in Technical; Is there anyway to find out which of my team disabled a students account? Using windows 2000 server. AD Users ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,327
    Thank Post
    84
    Thanked 47 Times in 33 Posts
    Rep Power
    31

    User account disabled - who did it?

    Is there anyway to find out which of my team disabled a students account?
    Using windows 2000 server.
    AD Users and Computers just date stamps last modified - but not who did it.

    cheers.

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    108
    You need to set up auditing but that doesnt help you after the fact I am afraid.

  3. #3
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,327
    Thank Post
    84
    Thanked 47 Times in 33 Posts
    Rep Power
    31
    Quote Originally Posted by ChrisH View Post
    You need to set up auditing but that doesnt help you after the fact I am afraid.
    would you care to expand on that please.
    thanks.

  4. #4

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,414
    Thank Post
    642
    Thanked 964 Times in 664 Posts
    Blog Entries
    2
    Rep Power
    327
    Look for "Account Management" event types in the Security event log on the server's Event Viewer.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,995
    Thank Post
    120
    Thanked 286 Times in 263 Posts
    Rep Power
    108
    You can setup auditing to record certain events in AD. Its the same with files and folders. You have to enable it in group policy then set what you want to record elsewhere. Dont go to mad with selecting what you want to record though as you will end up with a full log. A quick google should supply you with a good guide

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,247
    Thank Post
    882
    Thanked 2,745 Times in 2,319 Posts
    Blog Entries
    11
    Rep Power
    785
    Just a thought, It may not have even been one of your team who deleted it, your security policies may have disabled it due to excessive invalid logins.

  7. #7
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30
    Quote Originally Posted by SYNACK View Post
    Just a thought, It may not have even been one of your team who deleted it, your security policies may have disabled it due to excessive invalid logins.
    Indeed

    @OP was the account showing a little red X on the object (disabled) or was it just locked out?

  8. #8
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,327
    Thank Post
    84
    Thanked 47 Times in 33 Posts
    Rep Power
    31

    ...update..

    OK.
    I've edited the default domain policy:
    computer config: windows settings : security settings : local policies : audit policy.

    I've set to:
    account logon events : Failure
    account management : Success, Failure
    logon events : Success
    Audit system events : Success, Failure

    I wondered if this look OK? Will I need to do anything to action this new logging on the DC?

    Oh and yes the account was showing "disabled"....and no one seems to knlw who did it....quite worrying....got all the techie's to change their passwords.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,266
    Thank Post
    242
    Thanked 1,575 Times in 1,254 Posts
    Rep Power
    342
    Just Audit Account Management, set to Success and Failure should do the trick. Of course the only thing you must do is regularly check the Event Logs themselves!

    Do you use the Account Expires function in Active Directory? It's under the Account tab.
    Last edited by Michael; 3rd March 2008 at 03:38 PM.

  10. #10

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    183
    I wouldn't audit successful logons! Say an average of 200 clients in use for 5 periods a day... 1000 events!!!

  11. #11

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,633
    Thank Post
    734
    Thanked 1,693 Times in 1,507 Posts
    Rep Power
    435
    Hey heres and idea, how about you ask your team who did it and then beat them?

    Ben



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 2
    Last Post: 5th February 2008, 07:54 PM
  2. Replies: 2
    Last Post: 16th January 2008, 01:46 PM
  3. Deleted Admin User Account
    By timbo343 in forum Windows
    Replies: 8
    Last Post: 18th December 2007, 02:47 PM
  4. Modifying user account information
    By markwilliamson2001 in forum Windows
    Replies: 23
    Last Post: 12th September 2007, 02:50 PM
  5. Mandatory profile gets deleted along with the user account
    By mark_sharman in forum Network and Classroom Management
    Replies: 2
    Last Post: 23rd February 2007, 10:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •