I was doing an investigation, I wanted to know who created an AD account. From the Logs, the creator is shown as the the name of our Exchange Server plus a dollar symbol. Why is it so? I want to know which Administrator created the account.
My infrastructure is Windows 2008 R2 Single Forest Single Domain with Exchange 2010
Why is it shown the Servername with a dollar symbol?
Is there anything I should do to find out the actual Administrator account which created the AD account?
I did a lot of search for a solution, but couldn't find any. Your help is much appreciated.
- Edited by Manu Kannur Sunday, May 11, 2014 10:22 AM
You should enable audit security policy, that will help you to determine and track AD attributes changes in active directory. By enabling this policy, you can check who created, deleted or modified users account in AD. Please refer to below links for enabling auditing policy :
Moreover, you can also have a look at this good resource available at (http://www.activedirectoryaudit.com/) which is equipped with several excellent features and provide instant alert for each activity changes/done in active directory by sending customized emails. It also provide granular level monitoring report with real time monitoring. You can export the report in your desired format such as PDF, HTML or CSV.
Thanks for the reply.
I have a SIEM solution in place. And I have already enabled Advance Audit Policies as well. That is how I got the log in the first place. There is log, what I want to know is, Why is it with Servername$ symbol.
- Edited by Manu Kannur Tuesday, May 13, 2014 9:17 AM
It seems, if an Administrator creates a User account from Exchange Server, then the Exchange Server contacts the DC and hence in the DC Logs, it would show as ExchangeServername$ created the account.
I think, Microsoft must do something about it. Or is there already a way?