ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Finding who Changed a Property of a Active Directory User in Powershell

    Scheduled Pinned Locked Moved IT Discussion
    powershell
    20 Posts 7 Posters 813 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nadnerBN
      nadnerB
      last edited by

      I’m pretty sure you’d need third party auditing like netwrix auditor for AD for that level of logging.

      wirestyle22W 1 Reply Last reply Reply Quote 1
      • wirestyle22W
        wirestyle22 @nadnerB
        last edited by wirestyle22

        @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

        DashrenderD 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender @wirestyle22
          last edited by

          @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

          @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

          that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.

          wirestyle22W 1 Reply Last reply Reply Quote 0
          • wirestyle22W
            wirestyle22 @Dashrender
            last edited by wirestyle22

            @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

            @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

            @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

            that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.

            It's not on by default for sure

            1 Reply Last reply Reply Quote 0
            • RojoLocoR
              RojoLoco
              last edited by

              I'm pretty sure you can turn on auditing, but something like the netwrix app helps aggregate all that additional data into useful results.

              wirestyle22W 1 Reply Last reply Reply Quote 0
              • wirestyle22W
                wirestyle22 @RojoLoco
                last edited by wirestyle22

                @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                DashrenderD 1 Reply Last reply Reply Quote 0
                • DashrenderD
                  Dashrender @wirestyle22
                  last edited by

                  @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                  @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                  I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                  I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                  it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                  wirestyle22W 1 Reply Last reply Reply Quote 0
                  • wirestyle22W
                    wirestyle22 @Dashrender
                    last edited by wirestyle22

                    @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                    @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                    @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                    I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                    I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                    it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                    No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                    DashrenderD 1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender @wirestyle22
                      last edited by

                      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                      @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                      @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                      I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                      I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                      it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                      No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                      Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!

                      What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?

                      wirestyle22W 1 Reply Last reply Reply Quote 0
                      • wirestyle22W
                        wirestyle22 @Dashrender
                        last edited by wirestyle22

                        @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                        I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                        I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                        it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                        No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                        Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!

                        What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?

                        We have millions of dollars worth of VXRail servers in our data center. They are just not going to want to take any performance hit whatsoever

                        1 Reply Last reply Reply Quote 0
                        • ObsolesceO
                          Obsolesce
                          last edited by

                          On prem or off prem? If onprem, look at the audit log in event viewer. If Azure, go into Azure ad audit logs. Both will tell you exactly who changed what.

                          wirestyle22W 1 Reply Last reply Reply Quote 0
                          • wirestyle22W
                            wirestyle22 @Obsolesce
                            last edited by

                            @Obsolesce It's only contained in event viewer if you have auditing enabled, correct?

                            1 Reply Last reply Reply Quote 0
                            • wrx7mW
                              wrx7m
                              last edited by

                              Wouldn't be easier to see who sent that email or updated the ticket with that info?

                              wirestyle22W 1 Reply Last reply Reply Quote 0
                              • wirestyle22W
                                wirestyle22 @wrx7m
                                last edited by

                                @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                wrx7mW 1 Reply Last reply Reply Quote 0
                                • wrx7mW
                                  wrx7m @wirestyle22
                                  last edited by

                                  @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                  @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                  Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                  wirestyle22W 1 Reply Last reply Reply Quote 0
                                  • wirestyle22W
                                    wirestyle22 @wrx7m
                                    last edited by

                                    @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                    @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                    @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                    Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                    I'm not allowed to search people's e-mails. It might be though

                                    wrx7mW 1 Reply Last reply Reply Quote 0
                                    • wrx7mW
                                      wrx7m @wirestyle22
                                      last edited by

                                      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                      @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                      @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                      Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                      I'm not allowed to search people's e-mails. It might be though

                                      Just saying that someone who was allowed could do that.

                                      wirestyle22W 1 Reply Last reply Reply Quote 1
                                      • wirestyle22W
                                        wirestyle22 @wrx7m
                                        last edited by wirestyle22

                                        @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                        Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                        I'm not allowed to search people's e-mails. It might be though

                                        Just saying that someone who was allowed could do that.

                                        No one is unfortunately. We have to have a reason to go look. Would need to be approved by my boss. I have access to do it, but I am now allowed.

                                        1 Reply Last reply Reply Quote 0
                                        • IRJI
                                          IRJ
                                          last edited by

                                          This post is deleted!
                                          1 Reply Last reply Reply Quote 0
                                          • 1 / 1
                                          • First post
                                            Last post