Monday, September 3, 2012

Who Deleted That Active Directory Object?

Have you ever encountered that an AD object be it an user, computer etc is deleted and no one owns up?
In this situation, the usual questions will be when did it happened, where did it happened (Which DC?), who is the culprit.
You can say that you will be able to trace the culprit by pouring over the security logs if you had enabled auditing but picture this, what if you have over 80 domain controllers and you have no idea when did the deletion take place.
The following procedure will help you provide you the means to get the answers

To get the Distinguished Name of the Delete Object

1)  First open up LDP and connect to a server.
2) Next, bind to the DC you are connected to, click connections and then bind again.
(If all the fields are blank, it will bind with the user credentials that you are currently logged on as)
3) Click on Browse and then Search. Make sure that the control to return deleted objects is properly configured so that the deleted objects will be returned
4) Now we will need to search for the deleted objects. If you go to View and then Tree and leave it blank, it will go to the default naming context which by default is the domain naming context. Once this shows up in the left hand side, expand it then go to the deleted objects container , alt click and then choose search. With this, you will just search for that container and we can look for an attribute that we are looking for.
5) Once the object is located, copy the DN and it will be used in the next step

Who, When , Where?
To gather the information to which when and where, repadmin can be used as below

Repadmin /showobjmeta “DN which was copied in step 5 earlier”

You will get the information as below but what we are actually looking for here is in fact the isdeleted attribute.
This will tell you when the object was deleted and from which domain controller

For the who, you may go to the Domain Controller identified earlier to run through the security logs.
The event ID to look for will be Event ID 630

No comments:

Post a Comment