Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

Need a search to tell me who deleted an ou object in active directory

0 like 0 dislike
950 views
I have Windows Security events that tell me when a user logged on and I have an ActiveDirectory event that tells me that an OU object was deleted, but I cannot figure out how to correlate the two events together without a common unique "id" field (value) to link them.

Is there a configuration within AD or within Windows that will log some sort of common ID or GUID to both events so I can use tie them together into a "this person deleted this OU object" in a report?

Or, am I out of luck and maybe there is some search that will get me close to correlating these two semi-related events in such a way that I can get an approximate report along these lines?
asked Apr 17, 2013 by anonymous  
I'll look into this and see if I can come up with something...  I'm not sure if it's possible either.

4 Answers

0 like 0 dislike
 
Best answer

 in the deleted AD event, under the "Object details" look for the objectGUID field. It will look like:

objectGUID=4afba9d3-6d77-b140-3591-0f45dc297f66

The same GUID will show up in the Security event related to the deletion of the OU. The field name in the Seurity event is different, but the value is the same.

I tried it myself, I deleted a user account in the DC. The ActiveDirectory event showed up in Splunk together with the WinEventLog Security event with EventCode=630. Both events had that same GUID.

In the Security event the GUID looked like:

Target Account ID: John Doe
DEL:4afba9d3-6d77-b140-3591-0f45dc297f66

So you can run searches to look for a ActiveDirectory isDeleted=TRUE, which then shares that objectGUID field value in the Security events.

Another thing you can do is to look for specific EventCodes related to object deletions:

http://support.microsoft.com/kb/174074

Event ID: 638
Type: Success Audit
Description: Local Group Deleted:

Event ID: 634
Type: Success Audit
Description: Global Group Deleted:

Event ID: 630
Type: Success Audit
Description: User Account Deleted:

Event ID: 564
Type: Success Audit
Description: Object Deleted:

answered Apr 18, 2013 by anonymous  
selected Apr 18, 2013 by sarwana
Correct!  If you have problems getting the search right, let me know, I can help with that.
I only see EventCode=630. I do not have any of the other EventCodes you mention above, although I DO see my ActiveDirectory events saying isDeleted=TRUE for when a group object was deleted.
How do I turn on Win security auditing of group deletes so I can get the 638 and 634 EventCodes generated?
Okay, I see the Windows Security events when I delete group objects now that I've enabled AD auditing. However, when I delete a top most  OU object itself, I do NOT see any Windows Security event generated for that. I do see the ActiveDirectory DEL event, but it does not tell me which user made the deletion.
Got it to work, finally. I can NOW see the events after enabling local admin auditing as well as group auditing. (log into the domain controller -> administrative tools -> Domain Controller Security Settings and enable the auditing from there.
Nice, good stuff.
0 like 0 dislike
answered Apr 18, 2013 by anonymous  
0 like 0 dislike

http://support.microsoft.com/kb/258310

When an Active Directory object is deleted, a small portion of the object remains for a specified period of time so that other domain controllers that are replicating changes will become aware of the deletion. This period of time is referred to as the "tombstone lifetime" and is configurable. This article describes how to view the objects that have been deleted.

answered Apr 18, 2013 by anonymous  
1 like 0 dislike

The way I search who delete a account on our domian is by downloading Account Lockout and Management Tools.

Unzip the package and run eventcombMT.exe

Select your AD server and under choose Log Files to search tick Security Under Event Types tick Success Audit

In the Event ID's enter 630

Event ID: 630
Type: Success Audit
Description: User Account Deleted:

When you finish with search it should show you who deleted the accunt in logs.

Hope this help.

 

 

answered Apr 18, 2013 by anonymous  
...