Windows Thread, Who done it! in Technical; One of the OU's in active directory has been renamed. It can only be one of 3 people, Iím one ...
24th November 2008, 03:48 PM #1
Who done it!
One of the OU's in active directory has been renamed. It can only be one of 3 people, Iím one and its not me. The other are denying it? Is there a way to find out who done it Script or something?
I would like to be humane about this so thumb screws are out, for the moment........
The server is 2003 standard
24th November 2008, 03:55 PM #2
As far as I'm aware you can't as this happened to us a few weeks back.
Four of us with Domain Admin accounts, 3 of which would never do it, as we wouldn't and we trust that fact and 1 that said it wasn't her, but it __HAD__ to be.
Wasn't that bad apart from the fact Serco and ePortal died, and wouldn't revive. Took around 2 days with support from Serco to get it all going again.
(Apparently if you change the OU's as registered in its configuration it won't start properly)
24th November 2008, 04:02 PM #3
Not much of a deal really, would just like to know.
I have the modified date which was 21st Friday
Just need modified by..........
24th November 2008, 04:05 PM #4
I don't think you can tell unless you had previously switched on auditing.
24th November 2008, 04:13 PM #5
Any idea how to turn on auditing. too late this time but i'll get them next time?
24th November 2008, 04:41 PM #6
Group Policy Management -> edit Domain Controllers policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policy -> Audit Policy -> Audit policy change
Should show up in your DC security logs. Filter for event 566.
24th November 2008, 04:58 PM #7
Troubler with auditing is ... all you may find out it was renamed by Administrator unless you have that password firmly tucked away
26th November 2008, 12:04 AM #8
.. which is exactly why nobody should use the Administrator account. Best to create special 'ADM...' accounts specific to users that require extra access. Once you do this, then auditing can be configured to catch config changes.
Originally Posted by elsiegee40
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)