Who done it!
One of the OU's in active directory has been renamed. It can only be one of 3 people, Iím one and its not me. The other are denying it? Is there a way to find out who done it Script or something?
I would like to be humane about this so thumb screws are out, for the moment........
The server is 2003 standard
As far as I'm aware you can't as this happened to us a few weeks back.
Four of us with Domain Admin accounts, 3 of which would never do it, as we wouldn't and we trust that fact and 1 that said it wasn't her, but it __HAD__ to be.
Wasn't that bad apart from the fact Serco and ePortal died, and wouldn't revive. Took around 2 days with support from Serco to get it all going again.
(Apparently if you change the OU's as registered in its configuration it won't start properly)
Not much of a deal really, would just like to know.
I have the modified date which was 21st Friday
Just need modified by..........
I don't think you can tell unless you had previously switched on auditing.
Any idea how to turn on auditing. too late this time but i'll get them next time?
Group Policy Management -> edit Domain Controllers policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policy -> Audit Policy -> Audit policy change
Should show up in your DC security logs. Filter for event 566.
Troubler with auditing is ... all you may find out it was renamed by Administrator unless you have that password firmly tucked away :(
.. which is exactly why nobody should use the Administrator account. Best to create special 'ADM...' accounts specific to users that require extra access. Once you do this, then auditing can be configured to catch config changes.
Originally Posted by elsiegee40