Tracking deleted OU

755 pts.
Tags:
Active Directory
Active Directory Domain
OU
Windows Server 2003
Windows Server 2003 Domain
One OU was deeted from our Windows 2003 AD domain. Can we track how it was deleted or who deleted it?
ASKED: June 7, 2011  6:06 PM
UPDATED: June 8, 2011  8:53 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Look at this link:

http://krypted.com/windows-server/windows-server-who-deleted-my-frickin-ou/

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • IceCubbe
    Troubleshooter, here is another option you can try, In the deleted AD event, under the "Object details" look for the objectGUID field. It will look like: objectGUID=4afba9d3-6d77-b140-3591-0f45dc297f66 The same GUID will show up in the Security event related to the deletion of the OU. The field name in the Seurity event is different, but the value is the same. I tried it myself, I deleted a user account in the DC. The ActiveDirectory event showed up in Splunk together with the WinEventLog Security event with EventCode=630. Both events had that same GUID. In the Security event the GUID looked like: Target Account ID: John Doe DEL:4afba9d3-6d77-b140-3591-0f45dc297f66 So you can run searches to look for a ActiveDirectory isDeleted=TRUE, which then shares that objectGUID field value in the Security events. Another thing you can do is to look for specific EventCodes related to object deletions: http://support.microsoft.com/kb/174074 Event ID: 638 Type: Success Audit Description: Local Group Deleted: Event ID: 634 Type: Success Audit Description: Global Group Deleted: Event ID: 630 Type: Success Audit Description: User Account Deleted: Event ID: 564 Type: Success Audit Description: Object Deleted:
    1,385 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following