Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Windows Utility or features that can audit when a workstation was deleted in Active Directory

Answered Windows Utility or features that can audit when a workstation was deleted in Active Directory

  • Wednesday, December 19, 2012 7:59 PM
     
     
    Sign In to Vote
    0

    Hi there,

           Is there a Windows Server 2008  Utility or features that can audit or track when a computer was Deleted in Active directory.

    We encountered this problem more than 3 times and I'm interested to find out when or who Deleted the Computer Object in

    Active Directory.

    Best

    ACUC

     

All Replies

  • Wednesday, December 19, 2012 9:11 PM
     
     Answered
    Sign In to Vote
    0
    You would use security event auditing, but you must set it up beforehand. If auditing is not set up there's no way of finding out after the fact.
     
  • Monday, December 24, 2012 2:18 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi ACUC,

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    Best Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

           
     
  • Monday, December 24, 2012 12:20 PM
     
     
    Sign In to Vote
    0

    You can show the replication meta data of the tombstone (if the tombstone hasn't been garbage collected already) - tombstone lifetime is either 60 or 180 depending on how you have built your forest (meaning that the object still exists as a tombstone in the default objects container).

    How to view deleted objects using LDP.exe (Requires Windows Support Tools to be installed on Windows Server 2003 or Windows 2000 Server)
    http://support.microsoft.com/kb/258310

    Right click the tombstone that corospondes to the deleted computer object, Click Advanced and then click Replication Metadata and you will get an output similar to this (where AttID=20030 is euqal to 'isDeleted' you can now obtain the time when the account was deleted from the 'Org.Time/Data column)':

    Getting 'CN=delayedLinkProcessGroup1\0ADEL:a659f936-530d-4e7d-bb38-b271a54213fe,CN=Deleted Objects,CN=ESEDEV,DC=ADAM,DC=chrisse,DC=com' metadata...

    12 entries.

    AttID    Ver Loc.USN                   Originating DSA Org.USN      Org.Time/Date

    =====    === =======                   =============== =======      =============

         0      1   323668 55294c3d-320d-43c7-a758-9e8195c9e9a9   323668 2012-08-29 07:58:32

         3      2   536687 55294c3d-320d-43c7-a758-9e8195c9e9a9   536687 2012-12-24 13:18:21

    20001      1   323668 55294c3d-320d-43c7-a758-9e8195c9e9a9   323668 2012-08-29 07:58:32

    20002      1   323668 55294c3d-320d-43c7-a758-9e8195c9e9a9   323668 2012-08-29 07:58:32

    20030      1   536687 55294c3d-320d-43c7-a758-9e8195c9e9a9   536687 2012-12-24 13:18:21

    Enfo Zipper Christoffer Andersson – Principal Advisor http://blogs.chrisse.se - Directory Services Blog