Tie AD Deleted Objects to User Who Deleted Them

Giganews Newsgroups
Subject: Tie AD Deleted Objects to User Who Deleted Them
Posted by:  isd503 (david.j.schmi…@us.army.mil)
Date: 2 Jan 2007

I am trying to find a software package to meet our needs for auditing
purposes.  We have a couple products to track changes in the AD, but
nothing I find seems to be able to tell me who made the change.

I called around and was told this was because the deleted items are
tracked in the AD while the user who made the change (or deletion) was
tracked in the Security Event Log.

We use Logcaster to track the Event Logs on our DC's.  We also use
Quest AD Recovery Manager (ADRM), which has a fairly detailed reporting
feature.  If I were to give this report to an auditor, I should be able
to tell who made a particular AD change if the auditor wants
information on a specific item in the report.

Is this an accurate assessment of what it takes to obtain this kind of
information from the AD?  If so, is there a software package that "does
it all"?  Quest tells me the reporting feature of ADRM is a "secondary"
feature, so they, apparently, have not put a significant amount of
effort into it.  They did tell me there was another Quest product I
could buy that would be better; how helpful...

I thought the purpose of tracking changes to something was to be able
to report it.

Please help me understand how and where the AD stores changes to its
structure.

Replies