Missing Computers Object in AD

G

Guest

Hi,

I had a issue with a user unable to login into the Domain, I identified the
problem to be the computer object of the PC was missing from AD. I have tried
to investigate as to how or who deleted this object and have a filter in our
Securoty logs for 630, 564 and 563 events with Security as the event source
but nothing comes up.
Is it that AD has dropped this object for some reason or am I viewing the
wrong event in Event Viewer.
I need to find out how this computer object has been deleted an by whom?

xor
 
H

Herb Martin

xor said:
Hi,

I had a issue with a user unable to login into the Domain, I identified the
problem to be the computer object of the PC was missing from AD. I have tried
to investigate as to how or who deleted this object and have a filter in our
Securoty logs for 630, 564 and 563 events with Security as the event source
but nothing comes up.
Is it that AD has dropped this object for some reason or am I viewing the
wrong event in Event Viewer.
I need to find out how this computer object has been deleted an by whom?
Click to expand...


If you had Account Management auditing enabled and the logs haven't been
cleared then it should be in there -- without Account Management
auditing you probably cannot find out after the fact.

Also, it might be on a DIFFERENT DC so you have to check all of them
(multi-mastered AD and all that.)

You might also search for it - maybe it is in the wrong container (how
about LostAndFound?) and is hosed for some reason rather than deleted...

View->Advanced is required to see LostandFound (in AD Users/Computers.)
 
H

Hank Arnold

Herb,

Hope you are in Europe, because if you are in the US (like me in New York),
we both need to get a life (it's 3AM here)... ;-)
 
H

Herb Martin

Hank Arnold said:
Herb,

Hope you are in Europe, because if you are in the US (like me in New York),
we both need to get a life (it's 3AM here)... ;-)
Click to expand...

Austin, TX

But even when I worked for Microsoft and answered a lot of
questions on the internal MCS lists, it was commonly thought
there was no "Herb Martin", just a "HerbM bot" that had a
some sort of pattern matcher working against the KB

....written in Lisp of course. <grin>
 
G

Guest

I had checked the security log on both our DC's.. but non of these events
were logged. I have done an ldap search on our GC sevrer but it is unable to
find the object also nothing in Lost and Found. I am searching for these
security events in the security log (630|564|563).. are there other events I
should be looking out for which will log the deletion of this computer
object.
Auditing has been enabled on the Domain and Domian Controllers Group Policy

Audit directory service access - Success, Failure

xor

Herb Martin said:
xor said:
Hi,

I had a issue with a user unable to login into the Domain, I identified the
problem to be the computer object of the PC was missing from AD. I have tried
to investigate as to how or who deleted this object and have a filter in our
Securoty logs for 630, 564 and 563 events with Security as the event source
but nothing comes up.
Is it that AD has dropped this object for some reason or am I viewing the
wrong event in Event Viewer.
I need to find out how this computer object has been deleted an by whom?
Click to expand...


If you had Account Management auditing enabled and the logs haven't been
cleared then it should be in there -- without Account Management
auditing you probably cannot find out after the fact.

Also, it might be on a DIFFERENT DC so you have to check all of them
(multi-mastered AD and all that.)

You might also search for it - maybe it is in the wrong container (how
about LostAndFound?) and is hosed for some reason rather than deleted...

View->Advanced is required to see LostandFound (in AD Users/Computers.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
xor
Click to expand...
Click to expand...
 
H

Herb Martin

Auditing has been enabled on the Domain and Domian Controllers Group
Policy
Audit directory service access - Success, Failure
Click to expand...

I think what you really wish to audit is Account Management
(although DS access would work IF you also set ACLs on
every interesting object -- like files or other objects in Object
auditing, DS objects require to double setup: auditing AND
ACLs.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

computers update object property of in AD 2
Can't move AD object 2
Object renaming in AD using vbscript 1
Cannot delete computer object in AD 2
AD Computer objects displaying wrong icon 1
Delete a DC account:'DSA object cannot be deleted' 1
Directory Service Access Security Failure 565 with Object=GUID 6
How to force Sync. the object in AD 1

Top