none
AD account deletion - trace the culprit. RRS feed

  • Question

  • Hi,

    We have had numerous AD account deletions and I need to trace the culprit.
    I used ldap and repadmins to trace the source of the deletion to a specific DC and here's the details from the security event log:

    Event Type:       Success Audit

    Event Source:    Security

    Event Category: Account Management

    Event ID:           630

    Date:                11/11/2009

    Time:                13:04:20

    User:                EDITED\Administrator

    Computer:         edited

    Description:

    User Account Deleted:

                 Target Account Name:    EDITED

                 Target Domain:  EDITED

                 Target Account ID:         EDITED

    DEL:40003eee-c996-48f6-82d7-fbe33b88cbcf

                 Caller User Name:          Administrator

                 Caller Domain:   EDITED

                 Caller Logon ID: (0x0,0x2DF319D0)

                 Privileges:         -

     

    The same caller logon ID had been used for all the deletions.

    Can anyone tell me waht this relates to , I've serached the registry (both hex and decimal) but nothing, I have also used eventcombmt to search all the other DCs in the domain for any security events with this caller logon ID but found nothing.

     

    One thing is that the "caller Domain;" is from the forest root domain, whilst the account deletions belonged ina sub domain.

     

    I really need to trace the caller logon ID if possibel, any help appreciated.

    Friday, November 13, 2009 10:46 AM

Answers

  • The Caller ID won't tell you want you are looking for.

    Unfortunately, auditing is designed to be used when all users have their own user accounts and no shared accounts are used.

    What you need to do is look for Administrator Logon or (account logon) events some time prior to the account deletions.  Those will tell you the source computer.  Sometimes people are clever and use multiple RDP connections to hide there true workstation, so you may need to trace several Logon events from computer to computer to find the source.

    If you don't log those events there is nothing you can do.

    Friday, November 13, 2009 3:30 PM

All replies

  • Change the password on the forest root domain Administrator account.   It appears that account is being used to delete the accounts in the sub domain.  It is most likely an Enterprise administrator.

    Friday, November 13, 2009 12:32 PM
  • cheers- yeah we know its the root domain admin account and we have changed the password - unfortunately people have been using this account for AD management.

    I need to know what the caller logon id relates to to try and trace the origin (eg does it somehow relate to the PC / User , how is it formed - by kerberos ?), I don't think it just relates back to administrator account as there are other account management events using the same domain admin account but with different caller logon IDs)

    Friday, November 13, 2009 2:52 PM
  • The Caller ID won't tell you want you are looking for.

    Unfortunately, auditing is designed to be used when all users have their own user accounts and no shared accounts are used.

    What you need to do is look for Administrator Logon or (account logon) events some time prior to the account deletions.  Those will tell you the source computer.  Sometimes people are clever and use multiple RDP connections to hide there true workstation, so you may need to trace several Logon events from computer to computer to find the source.

    If you don't log those events there is nothing you can do.

    Friday, November 13, 2009 3:30 PM
  • Big_vern,

    Did you get his resolved?
    Thursday, November 19, 2009 3:43 AM