Introduction When user accounts are deleted, users will not be able to log into IT systems using domain authentication from any compu...
Introduction
When user accounts are deleted, users will not be able to log into IT systems using domain authentication from any computer in an organization. For those who are already logged in, access to email, SharePoint, SQL Server, shared folders and other services will be unavailable.
Steps (5 total)
Run GPMC.msc → open “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings:
Local Policies → Audit Policy → Audit account management → Define → Success
Local Policies → Audit Policy → Audit account management → Define → Success
Computer Configuration → Policies → Windows Settings → Security Settings: Event Log → Define → Maximum security log size to 1gb and Retention method for security log to Overwrite events as needed.
Open ADSI Edit → Connect to Default naming context → right click “DC=domain name” → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click “Add” → Choose the following settings:
Principal: Everyone
Type: Success
Applies to: This object and all descendant objects
Permissions: Delete all child objects → Click “OK”.
Principal: Everyone
Type: Success
Applies to: This object and all descendant objects
Permissions: Delete all child objects → Click “OK”.
In order to define what user account was deleted and who deleted it filter Security event log for events with ID 4726.
Conclusion
Auditing of Active Directory objects should be enabled in order to track deletion and changes.
No comments
Post a Comment