Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

I had a issue with a user unable to login into the Domain, I identified the
problem to be the computer object of the PC was missing from AD. I have tried
to investigate as to how or who deleted this object and have a filter in our
Securoty logs for 630, 564 and 563 events with Security as the event source
but nothing comes up.
Is it that AD has dropped this object for some reason or am I viewing the
wrong event in Event Viewer.
I need to find out how this computer object has been deleted an by whom?

xor

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"xor" <xor@discussions.microsoft.com> wrote in message
news:5254ACC4-3DD4-4FAD-9B6F-7CB1C8BF47B5@microsoft.com...
> Hi,
>
> I had a issue with a user unable to login into the Domain, I identified
the
> problem to be the computer object of the PC was missing from AD. I have
tried
> to investigate as to how or who deleted this object and have a filter in
our
> Securoty logs for 630, 564 and 563 events with Security as the event
source
> but nothing comes up.
> Is it that AD has dropped this object for some reason or am I viewing the
> wrong event in Event Viewer.
> I need to find out how this computer object has been deleted an by whom?


If you had Account Management auditing enabled and the logs haven't been
cleared then it should be in there -- without Account Management
auditing you probably cannot find out after the fact.

Also, it might be on a DIFFERENT DC so you have to check all of them
(multi-mastered AD and all that.)

You might also search for it - maybe it is in the wrong container (how
about LostAndFound?) and is hosed for some reason rather than deleted...

View->Advanced is required to see LostandFound (in AD Users/Computers.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> xor

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I had checked the security log on both our DC's.. but non of these events
were logged. I have done an ldap search on our GC sevrer but it is unable to
find the object also nothing in Lost and Found. I am searching for these
security events in the security log (630|564|563).. are there other events I
should be looking out for which will log the deletion of this computer
object.
Auditing has been enabled on the Domain and Domian Controllers Group Policy

Audit directory service access - Success, Failure

xor

"Herb Martin" wrote:

> "xor" <xor@discussions.microsoft.com> wrote in message
> news:5254ACC4-3DD4-4FAD-9B6F-7CB1C8BF47B5@microsoft.com...
> > Hi,
> >
> > I had a issue with a user unable to login into the Domain, I identified
> the
> > problem to be the computer object of the PC was missing from AD. I have
> tried
> > to investigate as to how or who deleted this object and have a filter in
> our
> > Securoty logs for 630, 564 and 563 events with Security as the event
> source
> > but nothing comes up.
> > Is it that AD has dropped this object for some reason or am I viewing the
> > wrong event in Event Viewer.
> > I need to find out how this computer object has been deleted an by whom?
>
>
> If you had Account Management auditing enabled and the logs haven't been
> cleared then it should be in there -- without Account Management
> auditing you probably cannot find out after the fact.
>
> Also, it might be on a DIFFERENT DC so you have to check all of them
> (multi-mastered AD and all that.)
>
> You might also search for it - maybe it is in the wrong container (how
> about LostAndFound?) and is hosed for some reason rather than deleted...
>
> View->Advanced is required to see LostandFound (in AD Users/Computers.)
>
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > xor
>
>
>

Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Auditing has been enabled on the Domain and Domian Controllers Group
Policy
>
> Audit directory service access - Success, Failure

I think what you really wish to audit is Account Management
(although DS access would work IF you also set ACLs on
every interesting object -- like files or other objects in Object
auditing, DS objects require to double setup: auditing AND
ACLs.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]