question

RogerRoger-2394 avatar image
0 Votes"
RogerRoger-2394 asked DaisyZhou-MSFT commented

AD User modified

Hi All

A users samaccount name, UPN, email address is modified in onprem AD, how can i know who has modified it and when was it modified. Experts help me to get this information.

windows-serverwindows-active-directorywindows-server-2019windows-server-2016windows-server-2012
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RogerRoger-2394,
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this post, please let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @RogerRoger-2394,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @RogerRoger-2394,

Thank you for posting here.

Q: how can i know who has modified it and when was it modified.
A: If you enable audit policy before the account was changed, you can check security log on the DC.

Here is my test in my lab.

1.Enable audit account management policy, in my case, I edit the gpo settings in Default Domain Policy.

Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Account Management – Success and Failure

Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
Account Management
Audit User Account Management – Success and Failure

Note:
If you have never configured any advanced audit policy before, then you can configure the legacy audit policy.

If you have configured any one advanced audit policy before, then you should configure the advanced audit policy.

2.Enable auditing settings on one domain account or the parent container.
In my case, I enable auditing settings on one domain account (daisy5).

Principal: Everyone
Tyle: All
Applies to: This object only (Note: if you set it on an OU with many users, please select All descendant objects)

Click Clear all button and click all the following properties.

100029-au1.png

100030-au2.png


3.If I change samaccount name of daisy5 from daisy5 to daisy56, I can see event ID 4781 and 4738.

99999-chan4.png

100000-chan5.png

4.If I change UPN of daisy5 from host/daisy5.b.local@B.LOCAL to host/daisy55.b.local@B.LOCAL, I can see event ID 4738 and 5136.

100091-chan1.png

100045-chan2.png

5.If I change email address of daisy5 from blank to daisy5@qq.com, I can see event ID 5136.
100073-chan3.png


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



au1.png (53.2 KiB)
au2.png (30.3 KiB)
chan4.png (46.5 KiB)
chan5.png (45.6 KiB)
chan1.png (50.8 KiB)
chan2.png (54.5 KiB)
chan3.png (50.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

aliabbasi-0397 avatar image
0 Votes"
aliabbasi-0397 answered

hi roger here is the link that might be able to help you

https://www.lepide.com/how-to/track-changes-in-active-directory.html

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RogerRoger-2394 avatar image
0 Votes"
RogerRoger-2394 answered

is event id 4738 enough to trace this.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.