ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Finding who Changed a Property of a Active Directory User in Powershell

    IT Discussion
    powershell
    7
    20
    701
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wirestyle22W
      wirestyle22
      last edited by wirestyle22

      We recently received some weird Azure errors due to one of our desktop support people (I think?) changing the UserPrincipleName to a sentence they were typing to a co-worker. The E-mail contained the error which showed the UPN was "oh waitshared calendars or the docctors [email protected]"

      My first step was to search for that UPN via Powershell:
      Get-ADUser -Filter {UserPrincipalName -like 'oh wait*'}

      That led to the account in question.

      I then ran:
      Get-ADUser -identity username -property *

      I can see it was edited at 9:10 AM yesterday, but I can't see who edited it. Does anyone know of a way I can see the user who changed this via powershell?

      1 Reply Last reply Reply Quote 0
      • nadnerBN
        nadnerB
        last edited by

        I’m pretty sure you’d need third party auditing like netwrix auditor for AD for that level of logging.

        wirestyle22W 1 Reply Last reply Reply Quote 1
        • wirestyle22W
          wirestyle22 @nadnerB
          last edited by wirestyle22

          @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

          DashrenderD 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @wirestyle22
            last edited by

            @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

            @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

            that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.

            wirestyle22W 1 Reply Last reply Reply Quote 0
            • wirestyle22W
              wirestyle22 @Dashrender
              last edited by wirestyle22

              @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

              @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

              @nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on

              that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.

              It's not on by default for sure

              1 Reply Last reply Reply Quote 0
              • RojoLocoR
                RojoLoco
                last edited by

                I'm pretty sure you can turn on auditing, but something like the netwrix app helps aggregate all that additional data into useful results.

                wirestyle22W 1 Reply Last reply Reply Quote 0
                • wirestyle22W
                  wirestyle22 @RojoLoco
                  last edited by wirestyle22

                  @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                  I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                  I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @wirestyle22
                    last edited by

                    @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                    @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                    I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                    I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                    it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                    wirestyle22W 1 Reply Last reply Reply Quote 0
                    • wirestyle22W
                      wirestyle22 @Dashrender
                      last edited by wirestyle22

                      @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                      @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                      I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                      I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                      it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                      No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • DashrenderD
                        Dashrender @wirestyle22
                        last edited by

                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                        @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                        I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                        I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                        it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                        No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                        Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!

                        What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?

                        wirestyle22W 1 Reply Last reply Reply Quote 0
                        • wirestyle22W
                          wirestyle22 @Dashrender
                          last edited by wirestyle22

                          @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                          @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                          @Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:

                          @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                          @RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:

                          I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.

                          I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.

                          it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.

                          No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.

                          Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!

                          What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?

                          We have millions of dollars worth of VXRail servers in our data center. They are just not going to want to take any performance hit whatsoever

                          1 Reply Last reply Reply Quote 0
                          • ObsolesceO
                            Obsolesce
                            last edited by

                            On prem or off prem? If onprem, look at the audit log in event viewer. If Azure, go into Azure ad audit logs. Both will tell you exactly who changed what.

                            wirestyle22W 1 Reply Last reply Reply Quote 0
                            • wirestyle22W
                              wirestyle22 @Obsolesce
                              last edited by

                              @Obsolesce It's only contained in event viewer if you have auditing enabled, correct?

                              1 Reply Last reply Reply Quote 0
                              • wrx7mW
                                wrx7m
                                last edited by

                                Wouldn't be easier to see who sent that email or updated the ticket with that info?

                                wirestyle22W 1 Reply Last reply Reply Quote 0
                                • wirestyle22W
                                  wirestyle22 @wrx7m
                                  last edited by

                                  @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                  wrx7mW 1 Reply Last reply Reply Quote 0
                                  • wrx7mW
                                    wrx7m @wirestyle22
                                    last edited by

                                    @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                    @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                    Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                    wirestyle22W 1 Reply Last reply Reply Quote 0
                                    • wirestyle22W
                                      wirestyle22 @wrx7m
                                      last edited by

                                      @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                      @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                      @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                      Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                      I'm not allowed to search people's e-mails. It might be though

                                      wrx7mW 1 Reply Last reply Reply Quote 0
                                      • wrx7mW
                                        wrx7m @wirestyle22
                                        last edited by

                                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                        @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                        Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                        I'm not allowed to search people's e-mails. It might be though

                                        Just saying that someone who was allowed could do that.

                                        wirestyle22W 1 Reply Last reply Reply Quote 1
                                        • wirestyle22W
                                          wirestyle22 @wrx7m
                                          last edited by wirestyle22

                                          @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                          @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                          @wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:

                                          @wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:

                                          @wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format

                                          Right, but they were typing that sentence to someone. Was it in a logged conversation?

                                          I'm not allowed to search people's e-mails. It might be though

                                          Just saying that someone who was allowed could do that.

                                          No one is unfortunately. We have to have a reason to go look. Would need to be approved by my boss. I have access to do it, but I am now allowed.

                                          1 Reply Last reply Reply Quote 0
                                          • IRJI
                                            IRJ
                                            last edited by

                                            This post is deleted!
                                            1 Reply Last reply Reply Quote 0
                                            • 1 / 1
                                            • First post
                                              Last post