P
PanTzeR
Guest
Greetings All,
I got a situation where account was deleted from AD using domain admin
account and would like to track it to IP or Computer that was done from. I
did a bit of investigation and located event that was logged on a Domain
Controller when that happened. It shows a bit of details, such as time,
username etc:
----------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 647
Date: 24/04/2008
Time: 10:20:41 AM
User: MYDOMAIN\domadmin
Computer: DOMAINDC14
Description:
Computer Account Deleted:
Target Account Name: COMPUTER462$
Target Domain: MYDOMAIN
Target Account ID: COMPUTER462
DEL:feb4cabb-34d2-46e3-a84f-9092685d2452
Caller User Name: domadmin
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x4D53D30)
Privileges: -
----------------------------------------------
As I understand that was done from the DC14 (probably RDP connection).
Unfortunately, Account Logon Events were not recorder during that time. That
probably could have helped a bit (is there loggin for RDP elsewhere?).
The questions that I keep chasing in my mind are:
1) What is Caller Logon ID property? I’ve googled that for some time, but
have not found really nice and detailed explanation.
2) Is it possible to use information that I have to track the deletion
further (ideally to IP or ComputerName)?â€Â.
WBR,
PanTzeR
I got a situation where account was deleted from AD using domain admin
account and would like to track it to IP or Computer that was done from. I
did a bit of investigation and located event that was logged on a Domain
Controller when that happened. It shows a bit of details, such as time,
username etc:
----------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 647
Date: 24/04/2008
Time: 10:20:41 AM
User: MYDOMAIN\domadmin
Computer: DOMAINDC14
Description:
Computer Account Deleted:
Target Account Name: COMPUTER462$
Target Domain: MYDOMAIN
Target Account ID: COMPUTER462
DEL:feb4cabb-34d2-46e3-a84f-9092685d2452
Caller User Name: domadmin
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x4D53D30)
Privileges: -
----------------------------------------------
As I understand that was done from the DC14 (probably RDP connection).
Unfortunately, Account Logon Events were not recorder during that time. That
probably could have helped a bit (is there loggin for RDP elsewhere?).
The questions that I keep chasing in my mind are:
1) What is Caller Logon ID property? I’ve googled that for some time, but
have not found really nice and detailed explanation.
2) Is it possible to use information that I have to track the deletion
further (ideally to IP or ComputerName)?â€Â.
WBR,
PanTzeR