ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Finding who Changed a Property of a Active Directory User in Powershell

    IT Discussion
    powershell
    7
    20
    723
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wirestyle22W
      wirestyle22 @Dashrender
      last edited by wirestyle22

      @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

      @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

      that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.

      It's not on by default for sure

      1 Reply Last reply Reply Quote 0
      • RojoLocoR
        RojoLoco
        last edited by

        I'm pretty sure you can turn on auditing, but something like the netwrix app helps aggregate all that additional data into useful results.

        wirestyle22W 1 Reply Last reply Reply Quote 0
        • wirestyle22W
          wirestyle22 @RojoLoco
          last edited by wirestyle22

          @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

          I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

          I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

          DashrenderD 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @wirestyle22
            last edited by

            @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

            @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

            I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

            I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

            it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

            wirestyle22W 1 Reply Last reply Reply Quote 0
            • wirestyle22W
              wirestyle22 @Dashrender
              last edited by wirestyle22

              @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

              @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

              @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

              I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

              I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

              it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

              No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @wirestyle22
                last edited by

                @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!

                What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?

                wirestyle22W 1 Reply Last reply Reply Quote 0
                • wirestyle22W
                  wirestyle22 @Dashrender
                  last edited by wirestyle22

                  @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                  @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                  @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                  @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                  @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                  I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                  I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                  it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                  No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                  Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!

                  What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?

                  We have millions of dollars worth of VXRail servers in our data center. They are just not going to want to take any performance hit whatsoever

                  1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce
                    last edited by

                    On prem or off prem? If onprem, look at the audit log in event viewer. If Azure, go into Azure ad audit logs. Both will tell you exactly who changed what.

                    wirestyle22W 1 Reply Last reply Reply Quote 0
                    • wirestyle22W
                      wirestyle22 @Obsolesce
                      last edited by

                      @Obsolesce It's only contained in event viewer if you have auditing enabled, correct?

                      1 Reply Last reply Reply Quote 0
                      • wrx7mW
                        wrx7m
                        last edited by

                        Wouldn't be easier to see who sent that email or updated the ticket with that info?

                        wirestyle22W 1 Reply Last reply Reply Quote 0
                        • wirestyle22W
                          wirestyle22 @wrx7m
                          last edited by

                          @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                          wrx7mW 1 Reply Last reply Reply Quote 0
                          • wrx7mW
                            wrx7m @wirestyle22
                            last edited by

                            @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                            @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                            Right, but they were typing that sentence to someone. Was it in a logged conversation?

                            wirestyle22W 1 Reply Last reply Reply Quote 0
                            • wirestyle22W
                              wirestyle22 @wrx7m
                              last edited by

                              @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                              @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                              @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                              Right, but they were typing that sentence to someone. Was it in a logged conversation?

                              I'm not allowed to search people's e-mails. It might be though

                              wrx7mW 1 Reply Last reply Reply Quote 0
                              • wrx7mW
                                wrx7m @wirestyle22
                                last edited by

                                @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                I'm not allowed to search people's e-mails. It might be though

                                Just saying that someone who was allowed could do that.

                                wirestyle22W 1 Reply Last reply Reply Quote 1
                                • wirestyle22W
                                  wirestyle22 @wrx7m
                                  last edited by wirestyle22

                                  @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                  @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                  @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                  @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                  @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                  Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                  I'm not allowed to search people's e-mails. It might be though

                                  Just saying that someone who was allowed could do that.

                                  No one is unfortunately. We have to have a reason to go look. Would need to be approved by my boss. I have access to do it, but I am now allowed.

                                  1 Reply Last reply Reply Quote 0
                                  • IRJI
                                    IRJ
                                    last edited by

                                    This post is deleted!
                                    1 Reply Last reply Reply Quote 0
                                    • 1 / 1
                                    • First post
                                      Last post