Tracking deleted OU
One OU was deeted from our Windows 2003 AD domain. Can we track how it was deleted or who deleted it?
Software/Hardware used:
Software/Hardware used:
ASKED:
June 7, 2011 6:06 PM
UPDATED:
June 8, 2011 8:53 AM
Answer Wiki:
Look at this link:
http://krypted.com/windows-server/windows-server-who-deleted-my-frickin-ou/
To see all answers submitted to the Answer Wiki: View Answer History.
Troubleshooter, here is another option you can try,
In the deleted AD event, under the “Object details” look for the objectGUID field. It will look like:
objectGUID=4afba9d3-6d77-b140-3591-0f45dc297f66
The same GUID will show up in the Security event related to the deletion of the OU. The field name in the Seurity event is different, but the value is the same.
I tried it myself, I deleted a user account in the DC. The ActiveDirectory event showed up in Splunk together with the WinEventLog Security event with EventCode=630. Both events had that same GUID.
In the Security event the GUID looked like:
Target Account ID: John Doe
DEL:4afba9d3-6d77-b140-3591-0f45dc297f66
So you can run searches to look for a ActiveDirectory isDeleted=TRUE, which then shares that objectGUID field value in the Security events.
Another thing you can do is to look for specific EventCodes related to object deletions:
http://support.microsoft.com/kb/174074
Event ID: 638
Type: Success Audit
Description: Local Group Deleted:
Event ID: 634
Type: Success Audit
Description: Global Group Deleted:
Event ID: 630
Type: Success Audit
Description: User Account Deleted:
Event ID: 564
Type: Success Audit
Description: Object Deleted: