AD User Account Illusions

J

Jason L

I have an account that continually dissapears out of AD
and a new account must be created and the old Exchange box
joined to it.

I can't seem to find a pattern and the Security Event logs
don't last log enough with the amount of info we have
being written to see the possible cause.

Any suggestions? 3rd party auditing/monitoring software
perhaps?

Thanks in advance.
 
L

Laura E. Hunter \(MVP\)

Unless you've got a -serious- space issue happening, why not simply increase
the available disk space allotted to your security logs so that the relevant
information stays around longer? Right-click on the security log in Event
Viewer and set the maximum size (in KB) from the Properties sheet. I crank
mine up to around 5MB, and that keeps data around for at least a day or two
even with all of my crazy auditing turned on.
 
J

Jason L

We have the logs set at maximum which is 4,194,240k This
lasts us approximately 12-23 minutes. We are not typically
aware of the accounts removal in that time window.
 
A

Andrew Mitchell

Jason L said:
We have the logs set at maximum which is 4,194,240k This
lasts us approximately 12-23 minutes. We are not typically
aware of the accounts removal in that time window.
Click to expand...

What events are you logging? Can you turn any off for a day or so until you
find out whats going on?
 
J

Jason

I wish we could but we have a fairly large domain and it
would be jsut our luck to cut something and have a
tradjety of some sort take place. Also, because again the
dissapearence is intermittent, usually daily but may be a
2 day stretch at the most but we can't shut off events for
that long a period.

From what i can tell i am looking for EventID 630 [account
deleted] or EventID 629 [account disabled]

Those tend to be the 2 things that happen most often.
Thier is also the occasional reset password occurence with
another EventID i cna't think of. Thats why i was
wondering of a 3rd party utility that i can setup to look
for specific events seperate from the ones we administer
daily. Thanks
 
A

Andrew Mitchell

Jason said:
I wish we could but we have a fairly large domain and it
would be jsut our luck to cut something and have a
tradjety of some sort take place.
Click to expand...

If the logs are only available for 23 minutes they are next to useless
anyway. Do you have the volume shadow copy service running on the drive the
logs are on? It may be possible to retreive some of the older logs through
that method.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Audit account logon events causes security log meltdown :( 1
AD Migration Feedback 2
Emailing AD audit alerts... 2
Win2000 AD user account mass lockout - Strange ! 1
Adding a 2000 AD child domain under a 2003 AD forest root domain 2
AD in mixed mode 1
Computer Account Promblem 3
WireleSs domain user logon problems 5

Top