Also, replication metadata would only should when the last change was made. If an account is disabled, re-enabled then disabled again, the metadata timestamp on the UAC attribute would only show a change at the time of the final disabling and then only if we assume that no other changes were made.
The real question in all of this appears to be "who had access when they shouldn't have?" and the real answer is "we don't really know." Our responsibility as IT folks is to ask the compliance guys "how much do you want to know in order to convince yourself that anything bad that happens isn't our fault?" and then tell them how much it's going to cost them. In the end you can't say with any certainty who had access to what and when for the entirety of your enterprise. You have to select either a subset of the resources and/or a subset of the people and try to answer as best you can on the constrained set. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, January 03, 2007 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when As Edward pointed out to really get the authoritative data you want you would need to have historic audit logs. Another less reliable method that you can use is to look at the replication metadata for the UserAccountControl attribute. This is the attribute that gets updated when the account is disabled. The problem is that this attribute is a collection of flags so if anyone changed any of the other settings such as User cannot change password after disabling the account the data will not be accurate. There are many tools that will show you the metadata on an object such as repadmin /showobjmeta. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 9:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Then you are going to have to restore the logs from your server and sift through them from the last quarter. Good luck on that one.... You really need to invest in Eventlog Manager and Archival software for compliance issues, to really do what you want to do, the standard tools are not going to help you in this endeavor. EZ Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Wednesday, January 03, 2007 10:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Thanks for the quick response. I don't have logs for more than 2 days on the DCs. They get overwritten due to size. Is there any other way? In future I will have monitoring to detect the event and send me an email for future reference. But right now I need information from the last quarter. Thanks -Parag ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 4:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Auditing, You are looking for the following event ID. Event Type= Account Management Event ID 629 (User account disabled) Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Tuesday, January 02, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabled user + when Team, Is there way to find when user account was disabled in AD? Our sox auditor would like to see the list of users that accounts were disabled in last quarter plus the date when they were disabled. They will match this information with HR database. We can't rely on whenmodified attribute because helpdesk team takes a day or two to complete rest of the termination process on that account after account is disabled. -Parag