+ Post New Thread
Results 1 to 11 of 11
Windows Thread, User account disabled - who did it? in Technical; Is there anyway to find out which of my team disabled a students account? Using windows 2000 server. AD Users ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    31

    User account disabled - who did it?

    Is there anyway to find out which of my team disabled a students account?
    Using windows 2000 server.
    AD Users and Computers just date stamps last modified - but not who did it.

    cheers.

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,009
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    You need to set up auditing but that doesnt help you after the fact I am afraid.

  3. #3
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    31
    Quote Originally Posted by ChrisH View Post
    You need to set up auditing but that doesnt help you after the fact I am afraid.
    would you care to expand on that please.
    thanks.

  4. #4

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,406
    Thank Post
    639
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    324
    Look for "Account Management" event types in the Security event log on the server's Event Viewer.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,009
    Thank Post
    120
    Thanked 282 Times in 260 Posts
    Rep Power
    108
    You can setup auditing to record certain events in AD. Its the same with files and folders. You have to enable it in group policy then set what you want to record elsewhere. Dont go to mad with selecting what you want to record though as you will end up with a full log. A quick google should supply you with a good guide

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,174
    Thank Post
    868
    Thanked 2,702 Times in 2,289 Posts
    Blog Entries
    11
    Rep Power
    773
    Just a thought, It may not have even been one of your team who deleted it, your security policies may have disabled it due to excessive invalid logins.

  7. #7
    Oops_my_bad's Avatar
    Join Date
    Jan 2007
    Location
    Man chest hair
    Posts
    1,738
    Thank Post
    438
    Thanked 53 Times in 50 Posts
    Rep Power
    30
    Quote Originally Posted by SYNACK View Post
    Just a thought, It may not have even been one of your team who deleted it, your security policies may have disabled it due to excessive invalid logins.
    Indeed

    @OP was the account showing a little red X on the object (disabled) or was it just locked out?

  8. #8
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,286
    Thank Post
    80
    Thanked 45 Times in 31 Posts
    Rep Power
    31

    ...update..

    OK.
    I've edited the default domain policy:
    computer config: windows settings : security settings : local policies : audit policy.

    I've set to:
    account logon events : Failure
    account management : Success, Failure
    logon events : Success
    Audit system events : Success, Failure

    I wondered if this look OK? Will I need to do anything to action this new logging on the DC?

    Oh and yes the account was showing "disabled"....and no one seems to knlw who did it....quite worrying....got all the techie's to change their passwords.

  9. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Just Audit Account Management, set to Success and Failure should do the trick. Of course the only thing you must do is regularly check the Event Logs themselves!

    Do you use the Account Expires function in Active Directory? It's under the Account tab.
    Last edited by Michael; 3rd March 2008 at 02:38 PM.

  10. #10

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,596
    Thank Post
    109
    Thanked 764 Times in 595 Posts
    Rep Power
    181
    I wouldn't audit successful logons! Say an average of 200 clients in use for 5 periods a day... 1000 events!!!

  11. #11

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,618
    Thank Post
    648
    Thanked 1,619 Times in 1,449 Posts
    Rep Power
    421
    Hey heres and idea, how about you ask your team who did it and then beat them?

    Ben

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 2
    Last Post: 5th February 2008, 06:54 PM
  2. Replies: 2
    Last Post: 16th January 2008, 12:46 PM
  3. Deleted Admin User Account
    By timbo343 in forum Windows
    Replies: 8
    Last Post: 18th December 2007, 01:47 PM
  4. Modifying user account information
    By markwilliamson2001 in forum Windows
    Replies: 23
    Last Post: 12th September 2007, 01:50 PM
  5. Mandatory profile gets deleted along with the user account
    By mark_sharman in forum Network and Classroom Management
    Replies: 2
    Last Post: 23rd February 2007, 09:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •