Account disapears

[Jason]

Ok, you ready for a laugh, because i am full of tears. I
have an account that constantly removes itself from ACTIVE
DIRECTORY, when this happens 90% of the time the mailbox
is left intact [to reattach later] but sometimes it will
delete as well. This user is an ADMIN and if i create an
INSTALL type account it still happens. This account has
been created by myself, him and others and it still
dissapears. We have no security holes and it is not an on
going prank, it has been going on and off for several
months now. Their is no discernable comonalities that
would explain this. Also, the account will sometiems give
tell-tell signs of troubles. The password will expire [set
to never expire] account will lock itself out and etc.
We've created new users for new employees and have yet to
have any problems with these new accounts and no problems
with any other ADMIN styled account. I/WE Need serious
help. We can't continue to have an account dissapear 5
times a day or work fine for a week and then disapear
again without cause. Thanks. Annoyed

 

[Jason Robarts [MSFT]]

This KB explains how to turn on Active Directory auditing in Windows Server
2003: http://support.microsoft.com/default.aspx?kbid=814595 Here's a
similar article for Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314955 Per the help
on the auditing policies for Windows Server 2003 we find the Account
Management policy is set to audit success events by default so that may be
sufficient. I had to turn on the Account Management auditing to audit
success events to detect the deletion in Windows 2000.

If you have a small number of DCs and a small number of changes occurring on
your DCs you may be able to just browse your event log and find out what
user is deleting the account. If there is just too much information to
check, below is information on how to find out when the deletion happened
and on what DC. The general strategy is we're going to find the deleted
object in the Deleted Objects container, then query the object's metadata to
find the time the deletion occurred and on what DC. That allows us to focus
our search in the eventlog for the auditing event. If someone knows a
cleaner way to do this please post a reply.

First you'll find the object in the Deleted Objects container.
http://support.microsoft.com/default.aspx?scid=kb;en-us;258310 has
information on how to do this. Then I'd take the current DN of the object
(it was changed by the deletion operation) and use it as an argument to
repadmin /showobjmeta
(http://www.microsoft.com/resources/...rv/2003/all/techref/en-us/repadmin_syntax.asp).
So on my test domain we find the following object in the deleted objects
container:

4> objectClass: top; person; organizationalPerson; user;
1> cn: foobar
DEL:cc358fbc-4abf-466b-b2d5-091928b39db6;
1> distinguishedName:
CN=foobar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
Objects,DC=corp,DC=contoso,DC=com;
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 07/12/2004 13:32:15 Pacific Standard Time Pacific Daylight
Time;
1> whenChanged: 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight
Time;
1> uSNCreated: 1260307;
1> isDeleted: TRUE;
1> uSNChanged: 1260316;
1> name: foobar
DEL:cc358fbc-4abf-466b-b2d5-091928b39db6;
1> objectGUID: cc358fbc-4abf-466b-b2d5-091928b39db6;
1> userAccountControl: 0x202 = ( UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT );
1> objectSid: S-1-5-21-3436611310-4029176544-906490007-1109;
1> sAMAccountName: foobar;
1> lastKnownParent: CN=Users,DC=corp,DC=contoso,DC=com;
4> dSCorePropagationData: 07/12/2004 13:32:20 Pacific Standard Time Pacific
Daylight Time; 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight
Time; 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight Time;
01/08/1601 07:10:56 Pacific Standard Time Pacific Daylight Time;


We take the DN of the object and use repadmin to show the replication
metadata:

C:\Documents and Settings\Administrator>repadmin /showobjmeta localhost
"CN=foob
ar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
Objects,DC=corp,DC=cont
oso,DC=com"

27 entries.
Loc.USN Originating DC Org.USN Org.Time/Date
Ver Attribute
======= =============== ========= =============
=== =========
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 objectClass
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 cn
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 givenName
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 instanceType
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 whenCreated
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 displayName
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
1 isDeleted
1260311 Data-Center-Site\ROOTDC1 1260311 2004-07-12
13:32:15
2 nTSecurityDescriptor
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 name
1260313 Data-Center-Site\ROOTDC1 1260313 2004-07-12
13:32:15
3 userAccountControl
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 codePage
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 countryCode
1260309 Data-Center-Site\ROOTDC1 1260309 2004-07-12
13:32:15
2 dBCSPwd
1260308 Data-Center-Site\ROOTDC1 1260308 2004-07-12
13:32:15
1 logonHours
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
3 unicodePwd
1260308 Data-Center-Site\ROOTDC1 1260308 2004-07-12
13:32:15
1 ntPwdHistory
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
3 pwdLastSet
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 primaryGroupID
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 supplementalCredentials
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 objectSid
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 accountExpires
1260308 Data-Center-Site\ROOTDC1 1260308 2004-07-12
13:32:15
1 lmPwdHistory
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 sAMAccountName
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 sAMAccountType
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 userPrincipalName
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
1 lastKnownParent
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 objectCategory
0 entries.
Type Attribute Last Mod Time Originating
DC
Loc.USN Org.USN Ver
======= ============ =============
=================
======= ======= ===
Distinguished Name
=============================

Looking for the Originating DC for the write on the isDeleted attribute we
find the deletion was performed on ROOTDC1 at ~ 1:32 PM:

1 isDeleted
1260311 Data-Center-Site\ROOTDC1 1260311 2004-07-12
13:32:15

Then I'd look in the Security log in Event Viewer on that DC to try and find
the deletion event. If you don't want to audit all of the DCs in your
domain you might start by auditing the one the originating write occurred
on. Of course the deletion might not occur on that one the next time. You
can use this procedure to determine that the next time it happens.

When I looked in the Server log on ROOTDC1 I found the following event:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 630
Date: 7/12/2004
Time: 1:32:20 PM
User: CORP\administrator
Computer: ROOTDC1
Description:
User Account Deleted:
Target Account Name: foobar
Target Domain: CORP
Target Account ID: foobar
DEL:cc358fbc-4abf-466b-b2d5-091928b39db6
Caller User Name: administrator
Caller Domain: CORP
Caller Logon ID: (0x0,0x5B90B5)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


So we know the CORP\administrator account deleted the object. That
hopefully will get you started on tracking this.



If you are using Windows 2000, repadmin has a /showmeta option that will
give you the same information. You'll want to take the value of the
objectGUID attribute and pass it to repadmin like so:

repadmin /showmeta "<GUID=696ab3b0-4bc0-4398-b630-988653db88b6>"

DEL:696ab3b0-4bc0-4398-b630-988653db88b6,CN=Deleted
Objects,DC=corp,DC=contoso,DC=com
1> cn: TestUser1134
DEL:696ab3b0-4bc0-4398-b630-988653db88b6;
1> instanceType: 4;
1> isDeleted: TRUE;
1> distinguishedName: CN=TestUser1134\
DEL:696ab3b0-4bc0-4398-b630-988653db88b6,CN=Deleted
Objects,DC=corp,DC=contoso,DC=com;
4> objectClass: top; person; organizationalPerson; user;
1> objectGUID: 696ab3b0-4bc0-4398-b630-988653db88b6;
1> objectSid: S-15-6DECD52F-74BA50F4-320A1743-CA6;
1> name: TestUser1134
DEL:696ab3b0-4bc0-4398-b630-988653db88b6;
1> sAMAccountName: TestUser1134;
1> userAccountControl: 546;
1> uSNChanged: 441793;
1> uSNCreated: 440337;
1> whenChanged: 6/16/2004 13:48:19 Pacific Standard Time Pacific Daylight
Time;
1> whenCreated: 6/16/2004 13:47:35 Pacific Standard Time Pacific Daylight
Time;


Hope this helps.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Ok, you ready for a laugh, because i am full of tears. I
have an account that constantly removes itself from ACTIVE
DIRECTORY, when this happens 90% of the time the mailbox
is left intact [to reattach later] but sometimes it will
delete as well. This user is an ADMIN and if i create an
INSTALL type account it still happens. This account has
been created by myself, him and others and it still
dissapears. We have no security holes and it is not an on
going prank, it has been going on and off for several
months now. Their is no discernable comonalities that
would explain this. Also, the account will sometiems give
tell-tell signs of troubles. The password will expire [set
to never expire] account will lock itself out and etc.
We've created new users for new employees and have yet to
have any problems with these new accounts and no problems
with any other ADMIN styled account. I/WE Need serious
help. We can't continue to have an account dissapear 5
times a day or work fine for a week and then disapear
again without cause. Thanks. Annoyed

 

[Hunter Coleman]

Sounds like they know pretty quickly when the account disappears. I'd just
use EventComb and search the Security logs for event ID 630 with a best
guess for the time window, optionally including the account ID in the
search. That shouldn't be too much resulting data to look through for the
exact audit event.

--
Hunter

This KB explains how to turn on Active Directory auditing in Windows Server
2003: http://support.microsoft.com/default.aspx?kbid=814595 Here's a
similar article for Windows 2000:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314955 Per the help
on the auditing policies for Windows Server 2003 we find the Account
Management policy is set to audit success events by default so that may be
sufficient. I had to turn on the Account Management auditing to audit
success events to detect the deletion in Windows 2000.

If you have a small number of DCs and a small number of changes occurring on
your DCs you may be able to just browse your event log and find out what
user is deleting the account. If there is just too much information to
check, below is information on how to find out when the deletion happened
and on what DC. The general strategy is we're going to find the deleted
object in the Deleted Objects container, then query the object's metadata to
find the time the deletion occurred and on what DC. That allows us to focus
our search in the eventlog for the auditing event. If someone knows a
cleaner way to do this please post a reply.

First you'll find the object in the Deleted Objects container.
http://support.microsoft.com/default.aspx?scid=kb;en-us;258310 has
information on how to do this. Then I'd take the current DN of the object
(it was changed by the deletion operation) and use it as an argument to
repadmin /showobjmeta
(http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techr
ef/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techr
ef/en-us/repadmin_syntax.asp).
So on my test domain we find the following object in the deleted objects
container:

4> objectClass: top; person; organizationalPerson; user;
1> cn: foobar
DEL:cc358fbc-4abf-466b-b2d5-091928b39db6;
1> distinguishedName:
CN=foobar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
Objects,DC=corp,DC=contoso,DC=com;
1> instanceType: 0x4 = ( IT_WRITE );
1> whenCreated: 07/12/2004 13:32:15 Pacific Standard Time Pacific Daylight
Time;
1> whenChanged: 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight
Time;
1> uSNCreated: 1260307;
1> isDeleted: TRUE;
1> uSNChanged: 1260316;
1> name: foobar
DEL:cc358fbc-4abf-466b-b2d5-091928b39db6;
1> objectGUID: cc358fbc-4abf-466b-b2d5-091928b39db6;
1> userAccountControl: 0x202 = ( UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT );
1> objectSid: S-1-5-21-3436611310-4029176544-906490007-1109;
1> sAMAccountName: foobar;
1> lastKnownParent: CN=Users,DC=corp,DC=contoso,DC=com;
4> dSCorePropagationData: 07/12/2004 13:32:20 Pacific Standard Time Pacific
Daylight Time; 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight
Time; 07/12/2004 13:32:20 Pacific Standard Time Pacific Daylight Time;
01/08/1601 07:10:56 Pacific Standard Time Pacific Daylight Time;


We take the DN of the object and use repadmin to show the replication
metadata:

C:\Documents and Settings\Administrator>repadmin /showobjmeta localhost
"CN=foob
ar\0ADEL:cc358fbc-4abf-466b-b2d5-091928b39db6,CN=Deleted
Objects,DC=corp,DC=cont
oso,DC=com"

27 entries.
Loc.USN Originating DC Org.USN Org.Time/Date
Ver Attribute
======= =============== ========= =============
=== =========
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 objectClass
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 cn
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 givenName
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 instanceType
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 whenCreated
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 displayName
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
1 isDeleted
1260311 Data-Center-Site\ROOTDC1 1260311 2004-07-12
13:32:15
2 nTSecurityDescriptor
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 name
1260313 Data-Center-Site\ROOTDC1 1260313 2004-07-12
13:32:15
3 userAccountControl
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 codePage
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 countryCode
1260309 Data-Center-Site\ROOTDC1 1260309 2004-07-12
13:32:15
2 dBCSPwd
1260308 Data-Center-Site\ROOTDC1 1260308 2004-07-12
13:32:15
1 logonHours
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
3 unicodePwd
1260308 Data-Center-Site\ROOTDC1 1260308 2004-07-12
13:32:15
1 ntPwdHistory
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
3 pwdLastSet
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 primaryGroupID
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 supplementalCredentials
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 objectSid
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 accountExpires
1260308 Data-Center-Site\ROOTDC1 1260308 2004-07-12
13:32:15
1 lmPwdHistory
1260307 Data-Center-Site\ROOTDC1 1260307 2004-07-12
13:32:15
1 sAMAccountName
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 sAMAccountType
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 userPrincipalName
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
1 lastKnownParent
1260316 Data-Center-Site\ROOTDC1 1260316 2004-07-12
13:32:20
2 objectCategory
0 entries.
Type Attribute Last Mod Time Originating
DC
Loc.USN Org.USN Ver
======= ============ =============
=================
======= ======= ===
Distinguished Name
=============================

Looking for the Originating DC for the write on the isDeleted attribute we
find the deletion was performed on ROOTDC1 at ~ 1:32 PM:

1 isDeleted
1260311 Data-Center-Site\ROOTDC1 1260311 2004-07-12
13:32:15

Then I'd look in the Security log in Event Viewer on that DC to try and find
the deletion event. If you don't want to audit all of the DCs in your
domain you might start by auditing the one the originating write occurred
on. Of course the deletion might not occur on that one the next time. You
can use this procedure to determine that the next time it happens.

When I looked in the Server log on ROOTDC1 I found the following event:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 630
Date: 7/12/2004
Time: 1:32:20 PM
User: CORP\administrator
Computer: ROOTDC1
Description:
User Account Deleted:
Target Account Name: foobar
Target Domain: CORP
Target Account ID: foobar
DEL:cc358fbc-4abf-466b-b2d5-091928b39db6
Caller User Name: administrator
Caller Domain: CORP
Caller Logon ID: (0x0,0x5B90B5)
Privileges: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


So we know the CORP\administrator account deleted the object. That
hopefully will get you started on tracking this.



If you are using Windows 2000, repadmin has a /showmeta option that will
give you the same information. You'll want to take the value of the
objectGUID attribute and pass it to repadmin like so:

repadmin /showmeta "<GUID=696ab3b0-4bc0-4398-b630-988653db88b6>"

DEL:696ab3b0-4bc0-4398-b630-988653db88b6,CN=Deleted
Objects,DC=corp,DC=contoso,DC=com
1> cn: TestUser1134
DEL:696ab3b0-4bc0-4398-b630-988653db88b6;
1> instanceType: 4;
1> isDeleted: TRUE;
1> distinguishedName: CN=TestUser1134\
DEL:696ab3b0-4bc0-4398-b630-988653db88b6,CN=Deleted
Objects,DC=corp,DC=contoso,DC=com;
4> objectClass: top; person; organizationalPerson; user;
1> objectGUID: 696ab3b0-4bc0-4398-b630-988653db88b6;
1> objectSid: S-15-6DECD52F-74BA50F4-320A1743-CA6;
1> name: TestUser1134
DEL:696ab3b0-4bc0-4398-b630-988653db88b6;
1> sAMAccountName: TestUser1134;
1> userAccountControl: 546;
1> uSNChanged: 441793;
1> uSNCreated: 440337;
1> whenChanged: 6/16/2004 13:48:19 Pacific Standard Time Pacific Daylight
Time;
1> whenCreated: 6/16/2004 13:47:35 Pacific Standard Time Pacific Daylight
Time;


Hope this helps.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Ok, you ready for a laugh, because i am full of tears. I
have an account that constantly removes itself from ACTIVE
DIRECTORY, when this happens 90% of the time the mailbox
is left intact [to reattach later] but sometimes it will
delete as well. This user is an ADMIN and if i create an
INSTALL type account it still happens. This account has
been created by myself, him and others and it still
dissapears. We have no security holes and it is not an on
going prank, it has been going on and off for several
months now. Their is no discernable comonalities that
would explain this. Also, the account will sometiems give
tell-tell signs of troubles. The password will expire [set
to never expire] account will lock itself out and etc.
We've created new users for new employees and have yet to
have any problems with these new accounts and no problems
with any other ADMIN styled account. I/WE Need serious
help. We can't continue to have an account dissapear 5
times a day or work fine for a week and then disapear
again without cause. Thanks. Annoyed