| Author | Messages | |
AD00000667
Posts:0
 | | 10/14/2005 2:32 AM |
| Yann,
There are some utilities you can purchase that will alert you when an
object is deleted, added, modified...
Dan
> -------- Original Message --------
> Subject: [ActiveDir] Knowing when users were deleted.
> From: Yann
> Date: Thu, October 13, 2005 11:56 pm
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
>
>
> Hi there,
>
> I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(
>
> So my boss urge me to find the guilty user AND the time of deletion.
> I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one.
>
> Any idea ?
>
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> Téléchargez le ici !
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:454
| | 10/14/2005 3:05 AM |
| Correct, you can currenlty only get the when and the where
(DC Where not Client Where).
Which raises the question. How many people would like a
metadata stamp with the GUID or SID of the userid that made the modification for
a given attribute (or value if appropriate)? Or would it be ok to just have who
made the last change to the object? Either way, none of the "administrators
group" nonsense, it points to a specific security principal.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
HARTONOSent: Friday, October 14, 2005 3:18 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx]
Sent: Friday, October 14, 2005 2:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot to
activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| AD000001348
Posts:0
| | 10/14/2005 3:17 AM |
| GUID
or SID of the user account that made the delete request. Last mod my not
be enough in case some process gets hold of that data in the deleted items, even
if unlikely. I want the id of the identity that put caused the object to
be there in the first place.
Having
the data for a full undelete option wouldn't seem too terrible either, although
that might significantly increase the storage in the DIT. In the past I've
had to write apps to keep that information out of band in order to put back
items mistakenly removed. But I can't see why I should have to trip through all
the DC's Audit logs to find the information about who deleted something given
how common this type of question is. It should be recorded same as the
audit log (we have the information, why not stamp it on the object at time of
deletion?)
Al
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]
On Behalf Of joeSent: Friday, October 14, 2005 11:03
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] Knowing when users were deleted.
Correct, you can currenlty only get the when and the
where (DC Where not Client Where).
Which raises the question. How many people would like a
metadata stamp with the GUID or SID of the userid that made the modification
for a given attribute (or value if appropriate)? Or would it be ok to just
have who made the last change to the object? Either way, none of the
"administrators group" nonsense, it points to a specific security
principal.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
HARTONOSent: Friday, October 14, 2005 3:18 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx]
Sent: Friday, October 14, 2005 2:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot
to activate the audit :(
So my boss urge me to find the guilty user AND the time of
deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde
avec le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| boubbha
Posts:29
| | 10/14/2005 3:20 AM |
| Hi Yann,
You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted.
But as for who deleted - I dont think you can find it without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone: (+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici ! | | | |
| boubbha
Posts:29
| | 10/14/2005 3:30 AM |
| | Message body was not found. | | | |
| alainlissoir
Posts:3
| | 10/14/2005 3:38 AM |
| Another possibility is the pure scripting way ... and leverage WMI
with two event WQL queries:
1/
Select * From __InstanceDeletionEvent Within 60 Where
TargetInstance ISA "ds_user"
2/
Select * From __InstanceCreationEvent Where TargetInstance ISA
"Win32_NTLogEvent"And TargetInstance.Logfile = "Audit"
You can use a logic similar to Sample 3.54 - GroupMonitor.wsf (at
http://www.lissware.net, volume 2) but
just need to adapt it to users.
The same reasoning can be used to monitor FSMO role changes
(Sample 3.55 and Sample 3.56 - FSMOMonitor.wsf).
These two scripts send an email containing info about the modified
object.
Tweak them to meet your requirements with the WQL queries 1/ and
2/.
You can download the script freely from my
site.
Enable object access auditing and you can eventually run the
script as a Windows Service (yes) on the DC.Then you are all
set!
You can watch the web cast at http://go.microsoft.com/fwlink/?LinkId=39643 where
I explain how to run scripts as Windows service with the right security
context.
HTH.
/Alain
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Friday, October 14, 2005 8:18 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Hi Freddy,
The information you gave rocks !
I did not think using the Last modified date attribute and
query it with the magic joe's tool :
-> "adfind -default -showdel -f isdeleted=TRUE"
It saves my job ! :)
The security audit is now configured and on.
Thanks for your help.
YannFreddy HARTONO
a écrit :
Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx]
Sent: Friday, October 14, 2005 2:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot
to activate the audit :(
So my boss urge me to find the guilty user AND the time of
deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde
avec le nouveau Yahoo! MessengerTéléchargez
le ici !
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| alainlissoir
Posts:3
| | 10/14/2005 3:40 AM |
| Eventtriggers tool uses WMI WQL query as described in my previous
mail referring to the WMI scripting technique.
Nothing different except that you don't have to deal with a script
... but if you have a script you master the logic better.
/Alain
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Friday, October 14, 2005 8:29 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
true.
I was looking rather for free tools, and i found the free eventriggers tool
form the 2k3 rktools that did the job.
It alerts you in real time for a specific eventID. You can
tell eventriggers to do a particular action such as using dumpel.exe
to dump the 630 id (frecnh specific id i presume) that corresponds to a
deleted object action.
Notice that eventriggers.exe only works on w2k3/XP machine.
Cheers,
YannDaniel Gilbert
a écrit :
Yann,There
are some utilities you can purchase that will alert you when anobject is
deleted, added, modified...Dan> -------- Original Message
--------> Subject: [ActiveDir] Knowing when users were deleted.>
From: Yann > Date: Thu, October 13, 2005 11:56
pm> To: ActiveDir@xxxxxxxxxxxxxxxxxx> > > Hi
there, > > I wonder if there is a way to know when a user has
been deleted from AD other than using security audt, because at the time of
the deletion, i forgot to activate the audit :( > > So my boss
urge me to find the guilty user AND the time of deletion. > I looked
for attributes in adsi and found that there is the whencreated, whenmodified
attribute but not whendeletedtimestamp one. > > Any idea
?> > Appel audio GRATUIT partout dans le monde avec le nouveau
Yahoo! Messenger> Téléchargez le ici ! List info :
http://www.activedir.org/List.aspxList FAQ :
http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| boubbha
Posts:29
| | 10/14/2005 3:48 AM |
| GUID or SID of the user account that made the delete request. Last mod my not be enough in case some process gets hold of that data in the deleted items, even if unlikely. I want the id of the identity that put caused the object to be there in the first place.
Having the data for a full undelete option wouldn't seem too terrible either, although that might significantly increase the storage in the DIT. In the past I've had to write apps to keep that information out of band in order to put back items mistakenly removed. But I can't see why I should have to trip through all the DC's Audit logs to find the information about who deleted something given how common this type of question is.. It should be recorded same as the audit log (we have the information, why not stamp it on the object at time of deletion?)
Al
-----Original Message-----From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joeSent: Friday, October 14, 2005 11:03 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when users were deleted.
Correct, you can currenlty only get the when and the where (DC Where not Client Where).
Which raises the question. How many people would like a metadata stamp with the GUID or SID of the userid that made the modification for a given attribute (or value if appropriate)? Or would it be ok to just have who made the last change to the object? Either way, none of the "administrators group" nonsense, it points to a specific security principal.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy HARTONOSent: Friday, October 14, 2005 3:18 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when users were deleted.
Hi Yann,
You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted.
But as for who deleted - I dont think you can find it without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone: (+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici ! | | | |
| boubbha
Posts:29
| | 10/14/2005 3:52 AM |
| Another possibility is the pure scripting way ... and leverage WMI with two event WQL queries:
1/
Select * From __InstanceDeletionEvent Within 60 Where TargetInstance ISA "ds_user"
2/
Select * From __InstanceCreationEvent Where TargetInstance ISA "Win32_NTLogEvent"And TargetInstance.Logfile = "Audit"
You can use a logic similar to Sample 3.54 - GroupMonitor.wsf (at http://www.lissware.net, volume 2) but just need to adapt it to users.
The same reasoning can be used to monitor FSMO role changes (Sample 3.55 and Sample 3.56 - FSMOMonitor.wsf).
These two scripts send an email containing info about the modified object.
Tweak them to meet your requirements with the WQL queries 1/ and 2/.
You can download the script freely from my site.
Enable object access auditing and you can eventually run the script as a Windows Service (yes) on the DC.Then you are all set!
You can watch the web cast at http://go.microsoft.com/fwlink/?LinkId=39643 where I explain how to run scripts as Windows service with the right security context.
HTH.
/Alain
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of YannSent: Friday, October 14, 2005 8:18 AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when users were deleted.
Hi Freddy,
The information you gave rocks !
I did not think using the Last modified date attribute and query it with the magic joe's tool :
-> "adfind -default -showdel -f isdeleted=TRUE"
It saves my job ! :)
The security audit is now configured and on.
Thanks for your help.
YannFreddy HARTONO a écrit :
Hi Yann,
You can find at the deletedobject folder via adfind -showdel and see the Last modified date - that would be when the object is deleted.
But as for who deleted - I dont think you can find it without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone: (+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx] Sent: Friday, October 14, 2005 2:57 PMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD other than using security audt, because at the time of the deletion, i forgot to activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated, whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! MessengerTéléchargez le ici !
Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
Téléchargez le ici ! | | | |
| activedirsmaporg
Posts:0
| | 10/14/2005 3:52 AM |
| Ignoring the 16 bytes at the beginning of the metadata for version and
attr count info, and garbage wasted space ... the metadata for a single
attribute is 48 bytes, adding the SID (28 bytes) would be an expansion of
57% on the _raw_ per attribute metadata size.
A sampling of a corporate DB showed the raw metadata size to be 15% of the
DIT size, which would lead me to believe the DIT would expand by ~10% for
a trivial implementation against this paticular corporate DIT.Ώ]
However, if you look at the /showobjmeta for _any_ object, you will
realize that is a data structure that is over ripe (like banannas you
wouldn't even use for a bananna cake) for being compressed. I think I
could add a SID, (custom) compress it, and shrink the DIT in size.
While you might think a GUID is better, because If you add a GUID, it is
only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
random hash". The SID is more likely to compress properly.
Ώ] I expect that corporate DITs vary what % is meta-data by how many
certs and big blobs they stick in thier AD. I imagine most corporate DITs
are worse (as in higher % is metadata) than the one I checked out.
Not that I've been thought of it ...
Cheers,
-BrettSh [msft]
This posting is provided "AS IS" with no warranties, and confers no
rights.
On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> GUID or SID of the user account that made the delete request. Last mod my
> not be enough in case some process gets hold of that data in the deleted
> items, even if unlikely. I want the id of the identity that put caused the
> object to be there in the first place.
>
> Having the data for a full undelete option wouldn't seem too terrible
> either, although that might significantly increase the storage in the DIT.
> In the past I've had to write apps to keep that information out of band in
> order to put back items mistakenly removed. But I can't see why I should
> have to trip through all the DC's Audit logs to find the information about
> who deleted something given how common this type of question is. It should
> be recorded same as the audit log (we have the information, why not stamp it
> on the object at time of deletion?)
>
> Al
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> Sent: Friday, October 14, 2005 11:03 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Correct, you can currenlty only get the when and the where (DC Where not
> Client Where).
>
> Which raises the question. How many people would like a metadata stamp with
> the GUID or SID of the userid that made the modification for a given
> attribute (or value if appropriate)? Or would it be ok to just have who made
> the last change to the object? Either way, none of the "administrators
> group" nonsense, it points to a specific security principal.
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy HARTONO
> Sent: Friday, October 14, 2005 3:18 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Hi Yann,
>
> You can find at the deletedobject folder via adfind -showdel and see the
> Last modified date - that would be when the object is deleted.
>
> But as for who deleted - I dont think you can find it without the auditing.
>
>
>
> Thank you and have a splendid day!
>
> Kind Regards,
>
> Freddy Hartono
> Group Support Engineer
> InternationalSOS Pte Ltd
> mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> phone: (+65) 6330-9740 - temp
>
>
>
> _____
>
> From: Yann [mailto:boubbha@xxxxxxxx]
> Sent: Friday, October 14, 2005 2:57 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Knowing when users were deleted.
>
>
> Hi there,
>
> I wonder if there is a way to know when a user has been deleted from AD
> other than using security audt, because at the time of the deletion, i
> forgot to activate the audit :(
>
> So my boss urge me to find the guilty user AND the time of deletion.
> I looked for attributes in adsi and found that there is the whencreated,
> whenmodified attribute but not whendeletedtimestamp one.
>
> Any idea ?
>
>
>
> _____
>
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger
> Téléchargez
> yahoo.com> le ici !
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 10/14/2005 4:07 AM |
| Is that a "yes" you'll add it? Or no, "..and no bananas for you." answer?
Al
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Friday, October 14, 2005 11:50 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
Ignoring the 16 bytes at the beginning of the metadata for version and attr
count info, and garbage wasted space ... the metadata for a single attribute
is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
_raw_ per attribute metadata size.
A sampling of a corporate DB showed the raw metadata size to be 15% of the
DIT size, which would lead me to believe the DIT would expand by ~10% for a
trivial implementation against this paticular corporate DIT.Ώ]
However, if you look at the /showobjmeta for _any_ object, you will realize
that is a data structure that is over ripe (like banannas you wouldn't even
use for a bananna cake) for being compressed. I think I could add a SID,
(custom) compress it, and shrink the DIT in size.
While you might think a GUID is better, because If you add a GUID, it is
only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
random hash". The SID is more likely to compress properly.
Ώ] I expect that corporate DITs vary what % is meta-data by how many certs
and big blobs they stick in thier AD. I imagine most corporate DITs are
worse (as in higher % is metadata) than the one I checked out.
Not that I've been thought of it ...
Cheers,
-BrettSh [msft]
This posting is provided "AS IS" with no warranties, and confers no rights.
On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> GUID or SID of the user account that made the delete request. Last
> mod my not be enough in case some process gets hold of that data in
> the deleted items, even if unlikely. I want the id of the identity
> that put caused the object to be there in the first place.
>
> Having the data for a full undelete option wouldn't seem too terrible
> either, although that might significantly increase the storage in the
> DIT. In the past I've had to write apps to keep that information out
> of band in order to put back items mistakenly removed. But I can't see
> why I should have to trip through all the DC's Audit logs to find the
> information about who deleted something given how common this type of
> question is. It should be recorded same as the audit log (we have the
> information, why not stamp it on the object at time of deletion?)
>
> Al
>
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> Sent: Friday, October 14, 2005 11:03 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Correct, you can currenlty only get the when and the where (DC Where
> not Client Where).
>
> Which raises the question. How many people would like a metadata stamp
> with the GUID or SID of the userid that made the modification for a
> given attribute (or value if appropriate)? Or would it be ok to just
> have who made the last change to the object? Either way, none of the
> "administrators group" nonsense, it points to a specific security
> principal.
>
>
>
> _____
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> HARTONO
> Sent: Friday, October 14, 2005 3:18 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
> Hi Yann,
>
> You can find at the deletedobject folder via adfind -showdel and see
> the Last modified date - that would be when the object is deleted.
>
> But as for who deleted - I dont think you can find it without the
> auditing.
>
>
>
> Thank you and have a splendid day!
>
> Kind Regards,
>
> Freddy Hartono
> Group Support Engineer
> InternationalSOS Pte Ltd
> mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> phone: (+65) 6330-9740 - temp
>
>
>
> _____
>
> From: Yann [mailto:boubbha@xxxxxxxx]
> Sent: Friday, October 14, 2005 2:57 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Knowing when users were deleted.
>
>
> Hi there,
>
> I wonder if there is a way to know when a user has been deleted from
> AD other than using security audt, because at the time of the
> deletion, i forgot to activate the audit :(
>
> So my boss urge me to find the guilty user AND the time of deletion. I
> looked for attributes in adsi and found that there is the whencreated,
> whenmodified attribute but not whendeletedtimestamp one.
>
> Any idea ?
>
>
>
> _____
>
> Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> Messenger Téléchargez
> senger
> yahoo.com> le ici !
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| activedirsmaporg
Posts:0
| | 10/14/2005 4:28 AM |
| Well, first you should _never_ ever view anything _I_ am musing as a
possible feature from the product group, I muse ALOT of stuff. PMs will
be feature groups spokespeople, I am a dev. This feature (in various
forms) has been under consideration before, specicfically Win2k, Win2k3,
and Longhorn timeframes.
Secondarily, features for any company, is always an optimization question
of profit opportunity of feature A vs. feature B vs. cost vs. available
resources ... would you give up the planned Longhorn RODC features for
something like this?
And finally ... you've dealt with the product group before ... they tell
us (devs) the first time we goto a conference never promise the customer
anything, as we are only supposed to set expectations in customers that
will be delievered on ...
IF you really want a commitment on adding it... how about this, I
can commit to delivering my first blog post before giving you user
modification tracking in metadata.
... have I now doomed the feature to never show up?
So you asked was that a yes or no in that previous post ... I'd view this
as nothing less than and nothing more than ... msft has smart people who
think about this stuff ... and in that spirit, if it were done, you
probably don't need to worry about DIT bloat (I'm much too smart to let
that happen, frankly you insult me ;).
Cheers,
BrettSh [msft]
This posting is provided "AS IS" with no warranties, and confers no
rights.
On Fri, 14 Oct 2005, Al Mulnick wrote:
> Is that a "yes" you'll add it? Or no, "..and no bananas for you." answer?
>
> Al
>
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
> Sent: Friday, October 14, 2005 11:50 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Knowing when users were deleted.
>
>
>
> Ignoring the 16 bytes at the beginning of the metadata for version and attr
> count info, and garbage wasted space ... the metadata for a single attribute
> is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
> _raw_ per attribute metadata size.
>
> A sampling of a corporate DB showed the raw metadata size to be 15% of the
> DIT size, which would lead me to believe the DIT would expand by ~10% for a
> trivial implementation against this paticular corporate DIT.Ώ]
>
> However, if you look at the /showobjmeta for _any_ object, you will realize
> that is a data structure that is over ripe (like banannas you wouldn't even
> use for a bananna cake) for being compressed. I think I could add a SID,
> (custom) compress it, and shrink the DIT in size.
>
> While you might think a GUID is better, because If you add a GUID, it is
> only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
> random hash". The SID is more likely to compress properly.
>
> Ώ] I expect that corporate DITs vary what % is meta-data by how many certs
> and big blobs they stick in thier AD. I imagine most corporate DITs are
> worse (as in higher % is metadata) than the one I checked out.
>
> Not that I've been thought of it ...
>
> Cheers,
> -BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> >
> > GUID or SID of the user account that made the delete request. Last
> > mod my not be enough in case some process gets hold of that data in
> > the deleted items, even if unlikely. I want the id of the identity
> > that put caused the object to be there in the first place.
> >
> > Having the data for a full undelete option wouldn't seem too terrible
> > either, although that might significantly increase the storage in the
> > DIT. In the past I've had to write apps to keep that information out
> > of band in order to put back items mistakenly removed. But I can't see
> > why I should have to trip through all the DC's Audit logs to find the
> > information about who deleted something given how common this type of
> > question is. It should be recorded same as the audit log (we have the
> > information, why not stamp it on the object at time of deletion?)
> >
> > Al
> >
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > Sent: Friday, October 14, 2005 11:03 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Correct, you can currenlty only get the when and the where (DC Where
> > not Client Where).
> >
> > Which raises the question. How many people would like a metadata stamp
> > with the GUID or SID of the userid that made the modification for a
> > given attribute (or value if appropriate)? Or would it be ok to just
> > have who made the last change to the object? Either way, none of the
> > "administrators group" nonsense, it points to a specific security
> > principal.
> >
> >
> >
> > _____
> >
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > HARTONO
> > Sent: Friday, October 14, 2005 3:18 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi Yann,
> >
> > You can find at the deletedobject folder via adfind -showdel and see
> > the Last modified date - that would be when the object is deleted.
> >
> > But as for who deleted - I dont think you can find it without the
> > auditing.
> >
> >
> >
> > Thank you and have a splendid day!
> >
> > Kind Regards,
> >
> > Freddy Hartono
> > Group Support Engineer
> > InternationalSOS Pte Ltd
> > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > phone: (+65) 6330-9740 - temp
> >
> >
> >
> > _____
> >
> > From: Yann [mailto:boubbha@xxxxxxxx]
> > Sent: Friday, October 14, 2005 2:57 PM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] Knowing when users were deleted.
> >
> >
> > Hi there,
> >
> > I wonder if there is a way to know when a user has been deleted from
> > AD other than using security audt, because at the time of the
> > deletion, i forgot to activate the audit :(
> >
> > So my boss urge me to find the guilty user AND the time of deletion. I
> > looked for attributes in adsi and found that there is the whencreated,
> > whenmodified attribute but not whendeletedtimestamp one.
> >
> > Any idea ?
> >
> >
> >
> > _____
> >
> > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > Messenger Téléchargez
> > > senger
> > yahoo.com> le ici !
> >
> >
>
>
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| activedirsmaporg
Posts:0
| | 10/14/2005 4:37 AM |
| P.S. - You can't really insult me ...
P.P.S - and if we were smart, we would've compressed the metadata from the
get go ;) and we'd be trying to figure out how to stuff the SID in the
metadata w/o bloating the DIT by 10% ... and instead we'd have to be
really cunning (cunning is smarter than smart) to make it all work out,
P.P.P.S. - or do survey's to see if the increase in DIT size is worth the
feature to you guys (which is an interesting question in itself, just to
see what people are willing to "pay". ;)
P.P.P.P.S. - Instead we're lucky. The line between lucky and cunning is
very narrow.
OK, I'm done.
On Fri, 14 Oct 2005, Brett Shirley wrote:
> Well, first you should _never_ ever view anything _I_ am musing as a
> possible feature from the product group, I muse ALOT of stuff. PMs will
> be feature groups spokespeople, I am a dev. This feature (in various
> forms) has been under consideration before, specicfically Win2k, Win2k3,
> and Longhorn timeframes.
>
> Secondarily, features for any company, is always an optimization question
> of profit opportunity of feature A vs. feature B vs. cost vs. available
> resources ... would you give up the planned Longhorn RODC features for
> something like this?
>
> And finally ... you've dealt with the product group before ... they tell
> us (devs) the first time we goto a conference never promise the customer
> anything, as we are only supposed to set expectations in customers that
> will be delievered on ...
>
> IF you really want a commitment on adding it... how about this, I
> can commit to delivering my first blog post before giving you user
> modification tracking in metadata.
>
> ... have I now doomed the feature to never show up?
>
> So you asked was that a yes or no in that previous post ... I'd view this
> as nothing less than and nothing more than ... msft has smart people who
> think about this stuff ... and in that spirit, if it were done, you
> probably don't need to worry about DIT bloat (I'm much too smart to let
> that happen, frankly you insult me ;).
>
> Cheers,
> BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> > Is that a "yes" you'll add it? Or no, "..and no bananas for you." answer?
> >
> > Al
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
> > Sent: Friday, October 14, 2005 11:50 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> >
> > Ignoring the 16 bytes at the beginning of the metadata for version and attr
> > count info, and garbage wasted space ... the metadata for a single attribute
> > is 48 bytes, adding the SID (28 bytes) would be an expansion of 57% on the
> > _raw_ per attribute metadata size.
> >
> > A sampling of a corporate DB showed the raw metadata size to be 15% of the
> > DIT size, which would lead me to believe the DIT would expand by ~10% for a
> > trivial implementation against this paticular corporate DIT.Ώ]
> >
> > However, if you look at the /showobjmeta for _any_ object, you will realize
> > that is a data structure that is over ripe (like banannas you wouldn't even
> > use for a bananna cake) for being compressed. I think I could add a SID,
> > (custom) compress it, and shrink the DIT in size.
> >
> > While you might think a GUID is better, because If you add a GUID, it is
> > only 16 bytes, but that's a very uncompressible 16 bytes, "effectively a
> > random hash". The SID is more likely to compress properly.
> >
> > Ώ] I expect that corporate DITs vary what % is meta-data by how many certs
> > and big blobs they stick in thier AD. I imagine most corporate DITs are
> > worse (as in higher % is metadata) than the one I checked out.
> >
> > Not that I've been thought of it ...
> >
> > Cheers,
> > -BrettSh [msft]
> >
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
> > On Fri, 14 Oct 2005, Al Mulnick wrote:
> >
> > >
> > > GUID or SID of the user account that made the delete request. Last
> > > mod my not be enough in case some process gets hold of that data in
> > > the deleted items, even if unlikely. I want the id of the identity
> > > that put caused the object to be there in the first place.
> > >
> > > Having the data for a full undelete option wouldn't seem too terrible
> > > either, although that might significantly increase the storage in the
> > > DIT. In the past I've had to write apps to keep that information out
> > > of band in order to put back items mistakenly removed. But I can't see
> > > why I should have to trip through all the DC's Audit logs to find the
> > > information about who deleted something given how common this type of
> > > question is. It should be recorded same as the audit log (we have the
> > > information, why not stamp it on the object at time of deletion?)
> > >
> > > Al
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > > Sent: Friday, October 14, 2005 11:03 AM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Correct, you can currenlty only get the when and the where (DC Where
> > > not Client Where).
> > >
> > > Which raises the question. How many people would like a metadata stamp
> > > with the GUID or SID of the userid that made the modification for a
> > > given attribute (or value if appropriate)? Or would it be ok to just
> > > have who made the last change to the object? Either way, none of the
> > > "administrators group" nonsense, it points to a specific security
> > > principal.
> > >
> > >
> > >
> > > _____
> > >
> > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > > HARTONO
> > > Sent: Friday, October 14, 2005 3:18 AM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Hi Yann,
> > >
> > > You can find at the deletedobject folder via adfind -showdel and see
> > > the Last modified date - that would be when the object is deleted.
> > >
> > > But as for who deleted - I dont think you can find it without the
> > > auditing.
> > >
> > >
> > >
> > > Thank you and have a splendid day!
> > >
> > > Kind Regards,
> > >
> > > Freddy Hartono
> > > Group Support Engineer
> > > InternationalSOS Pte Ltd
> > > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > > phone: (+65) 6330-9740 - temp
> > >
> > >
> > >
> > > _____
> > >
> > > From: Yann [mailto:boubbha@xxxxxxxx]
> > > Sent: Friday, October 14, 2005 2:57 PM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Hi there,
> > >
> > > I wonder if there is a way to know when a user has been deleted from
> > > AD other than using security audt, because at the time of the
> > > deletion, i forgot to activate the audit :(
> > >
> > > So my boss urge me to find the guilty user AND the time of deletion. I
> > > looked for attributes in adsi and found that there is the whencreated,
> > > whenmodified attribute but not whendeletedtimestamp one.
> > >
> > > Any idea ?
> > >
> > >
> > >
> > > _____
> > >
> > > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > > Messenger Téléchargez
> > > > > senger
> > > yahoo.com> le ici !
> > >
> > >
> >
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001348
Posts:0
| | 10/14/2005 4:50 AM |
| "would you give up the planned Longhorn RODC features for something like
this?"
I'd happily give up RODC in favor of this. But I appreciate the honest
answer and wasn't looking for a commitment. I'll be more careful to word
things more appropriately in the future and to eat my vegetables at every
meal.
I'd be very happy to see this as an option with some growth parameters that
are documented (if you do x, expect this amount of storage per item increase
over not doing it) sort of documentation.
Now if only I could find that microsoft wish email address to send such a
request to....
Al
P.S. I can't insult you? Really? If I do, will you blog about it in your
second blog post?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Friday, October 14, 2005 12:35 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
P.S. - You can't really insult me ...
P.P.S - and if we were smart, we would've compressed the metadata from the
get go ;) and we'd be trying to figure out how to stuff the SID in the
metadata w/o bloating the DIT by 10% ... and instead we'd have to be really
cunning (cunning is smarter than smart) to make it all work out,
P.P.P.S. - or do survey's to see if the increase in DIT size is worth the
feature to you guys (which is an interesting question in itself, just to see
what people are willing to "pay". ;)
P.P.P.P.S. - Instead we're lucky. The line between lucky and cunning is
very narrow.
OK, I'm done.
On Fri, 14 Oct 2005, Brett Shirley wrote:
> Well, first you should _never_ ever view anything _I_ am musing as a
> possible feature from the product group, I muse ALOT of stuff. PMs
> will be feature groups spokespeople, I am a dev. This feature (in
> various
> forms) has been under consideration before, specicfically Win2k, Win2k3,
> and Longhorn timeframes.
>
> Secondarily, features for any company, is always an optimization
> question of profit opportunity of feature A vs. feature B vs. cost vs.
> available resources ... would you give up the planned Longhorn RODC
> features for something like this?
>
> And finally ... you've dealt with the product group before ... they
> tell us (devs) the first time we goto a conference never promise the
> customer anything, as we are only supposed to set expectations in
> customers that will be delievered on ...
>
> IF you really want a commitment on adding it... how about this, I
> can commit to delivering my first blog post before giving you user
> modification tracking in metadata.
>
> ... have I now doomed the feature to never show up?
>
> So you asked was that a yes or no in that previous post ... I'd view
> this as nothing less than and nothing more than ... msft has smart
> people who think about this stuff ... and in that spirit, if it were
> done, you probably don't need to worry about DIT bloat (I'm much too
> smart to let that happen, frankly you insult me ;).
>
> Cheers,
> BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> > Is that a "yes" you'll add it? Or no, "..and no bananas for you."
> > answer?
> >
> > Al
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett
> > Shirley
> > Sent: Friday, October 14, 2005 11:50 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> >
> > Ignoring the 16 bytes at the beginning of the metadata for version
> > and attr count info, and garbage wasted space ... the metadata for a
> > single attribute is 48 bytes, adding the SID (28 bytes) would be an
> > expansion of 57% on the _raw_ per attribute metadata size.
> >
> > A sampling of a corporate DB showed the raw metadata size to be 15%
> > of the DIT size, which would lead me to believe the DIT would expand
> > by ~10% for a trivial implementation against this paticular
> > corporate DIT.Ώ]
> >
> > However, if you look at the /showobjmeta for _any_ object, you will
> > realize that is a data structure that is over ripe (like banannas
> > you wouldn't even use for a bananna cake) for being compressed. I
> > think I could add a SID,
> > (custom) compress it, and shrink the DIT in size.
> >
> > While you might think a GUID is better, because If you add a GUID,
> > it is only 16 bytes, but that's a very uncompressible 16 bytes,
> > "effectively a random hash". The SID is more likely to compress
> > properly.
> >
> > Ώ] I expect that corporate DITs vary what % is meta-data by how
> > many certs and big blobs they stick in thier AD. I imagine most
> > corporate DITs are worse (as in higher % is metadata) than the one I
> > checked out.
> >
> > Not that I've been thought of it ...
> >
> > Cheers,
> > -BrettSh [msft]
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> >
> > On Fri, 14 Oct 2005, Al Mulnick wrote:
> >
> > >
> > > GUID or SID of the user account that made the delete request.
> > > Last
> > > mod my not be enough in case some process gets hold of that data in
> > > the deleted items, even if unlikely. I want the id of the identity
> > > that put caused the object to be there in the first place.
> > >
> > > Having the data for a full undelete option wouldn't seem too
> > > terrible
> > > either, although that might significantly increase the storage in the
> > > DIT. In the past I've had to write apps to keep that information out
> > > of band in order to put back items mistakenly removed. But I can't see
> > > why I should have to trip through all the DC's Audit logs to find the
> > > information about who deleted something given how common this type of
> > > question is. It should be recorded same as the audit log (we have the
> > > information, why not stamp it on the object at time of deletion?)
> > >
> > > Al
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > > Sent: Friday, October 14, 2005 11:03 AM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Correct, you can currenlty only get the when and the where (DC
> > > Where
> > > not Client Where).
> > >
> > > Which raises the question. How many people would like a metadata
> > > stamp
> > > with the GUID or SID of the userid that made the modification for a
> > > given attribute (or value if appropriate)? Or would it be ok to just
> > > have who made the last change to the object? Either way, none of the
> > > "administrators group" nonsense, it points to a specific security
> > > principal.
> > >
> > >
> > >
> > > _____
> > >
> > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > > HARTONO
> > > Sent: Friday, October 14, 2005 3:18 AM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Hi Yann,
> > >
> > > You can find at the deletedobject folder via adfind -showdel and
> > > see
> > > the Last modified date - that would be when the object is deleted.
> > >
> > > But as for who deleted - I dont think you can find it without the
> > > auditing.
> > >
> > >
> > >
> > > Thank you and have a splendid day!
> > >
> > > Kind Regards,
> > >
> > > Freddy Hartono
> > > Group Support Engineer
> > > InternationalSOS Pte Ltd
> > > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > > phone: (+65) 6330-9740 - temp
> > >
> > >
> > >
> > > _____
> > >
> > > From: Yann [mailto:boubbha@xxxxxxxx]
> > > Sent: Friday, October 14, 2005 2:57 PM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Hi there,
> > >
> > > I wonder if there is a way to know when a user has been deleted
> > > from
> > > AD other than using security audt, because at the time of the
> > > deletion, i forgot to activate the audit :(
> > >
> > > So my boss urge me to find the guilty user AND the time of
> > > deletion. I
> > > looked for attributes in adsi and found that there is the whencreated,
> > > whenmodified attribute but not whendeletedtimestamp one.
> > >
> > > Any idea ?
> > >
> > >
> > >
> > > _____
> > >
> > > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > > Messenger Téléchargez
> > > > > senger
> > > yahoo.com> le ici !
> > >
> > >
> >
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| darren.marelia@xxxx.yyy
| | 10/14/2005 4:58 AM |
| "Now if only I could find that microsoft wish email address to send such a request to...."
Try http://www.windowsserverfeedback.com/
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Al Mulnick
Sent: Friday, October 14, 2005 9:48 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
"would you give up the planned Longhorn RODC features for something like this?"
I'd happily give up RODC in favor of this. But I appreciate the honest answer and wasn't looking for a commitment. I'll be more careful to word things more appropriately in the future and to eat my vegetables at every meal.
I'd be very happy to see this as an option with some growth parameters that are documented (if you do x, expect this amount of storage per item increase over not doing it) sort of documentation.
Now if only I could find that microsoft wish email address to send such a request to....
Al
P.S. I can't insult you? Really? If I do, will you blog about it in your second blog post?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett Shirley
Sent: Friday, October 14, 2005 12:35 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Knowing when users were deleted.
P.S. - You can't really insult me ...
P.P.S - and if we were smart, we would've compressed the metadata from the get go ;) and we'd be trying to figure out how to stuff the SID in the metadata w/o bloating the DIT by 10% ... and instead we'd have to be really cunning (cunning is smarter than smart) to make it all work out,
P.P.P.S. - or do survey's to see if the increase in DIT size is worth the feature to you guys (which is an interesting question in itself, just to see what people are willing to "pay". ;)
P.P.P.P.S. - Instead we're lucky. The line between lucky and cunning is very narrow.
OK, I'm done.
On Fri, 14 Oct 2005, Brett Shirley wrote:
> Well, first you should _never_ ever view anything _I_ am musing as a
> possible feature from the product group, I muse ALOT of stuff. PMs
> will be feature groups spokespeople, I am a dev. This feature (in
> various
> forms) has been under consideration before, specicfically Win2k,
> Win2k3, and Longhorn timeframes.
>
> Secondarily, features for any company, is always an optimization
> question of profit opportunity of feature A vs. feature B vs. cost vs.
> available resources ... would you give up the planned Longhorn RODC
> features for something like this?
>
> And finally ... you've dealt with the product group before ... they
> tell us (devs) the first time we goto a conference never promise the
> customer anything, as we are only supposed to set expectations in
> customers that will be delievered on ...
>
> IF you really want a commitment on adding it... how about this, I
> can commit to delivering my first blog post before giving you user
> modification tracking in metadata.
>
> ... have I now doomed the feature to never show up?
>
> So you asked was that a yes or no in that previous post ... I'd view
> this as nothing less than and nothing more than ... msft has smart
> people who think about this stuff ... and in that spirit, if it were
> done, you probably don't need to worry about DIT bloat (I'm much too
> smart to let that happen, frankly you insult me ;).
>
> Cheers,
> BrettSh [msft]
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> On Fri, 14 Oct 2005, Al Mulnick wrote:
>
> > Is that a "yes" you'll add it? Or no, "..and no bananas for you."
> > answer?
> >
> > Al
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Brett
> > Shirley
> > Sent: Friday, October 14, 2005 11:50 AM
> > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > Subject: RE: [ActiveDir] Knowing when users were deleted.
> >
> >
> >
> > Ignoring the 16 bytes at the beginning of the metadata for version
> > and attr count info, and garbage wasted space ... the metadata for a
> > single attribute is 48 bytes, adding the SID (28 bytes) would be an
> > expansion of 57% on the _raw_ per attribute metadata size.
> >
> > A sampling of a corporate DB showed the raw metadata size to be 15%
> > of the DIT size, which would lead me to believe the DIT would expand
> > by ~10% for a trivial implementation against this paticular
> > corporate DIT.Ώ]
> >
> > However, if you look at the /showobjmeta for _any_ object, you will
> > realize that is a data structure that is over ripe (like banannas
> > you wouldn't even use for a bananna cake) for being compressed. I
> > think I could add a SID,
> > (custom) compress it, and shrink the DIT in size.
> >
> > While you might think a GUID is better, because If you add a GUID,
> > it is only 16 bytes, but that's a very uncompressible 16 bytes,
> > "effectively a random hash". The SID is more likely to compress
> > properly.
> >
> > Ώ] I expect that corporate DITs vary what % is meta-data by how
> > many certs and big blobs they stick in thier AD. I imagine most
> > corporate DITs are worse (as in higher % is metadata) than the one I
> > checked out.
> >
> > Not that I've been thought of it ...
> >
> > Cheers,
> > -BrettSh [msft]
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
> >
> > On Fri, 14 Oct 2005, Al Mulnick wrote:
> >
> > >
> > > GUID or SID of the user account that made the delete request.
> > > Last
> > > mod my not be enough in case some process gets hold of that data
> > > in the deleted items, even if unlikely. I want the id of the
> > > identity that put caused the object to be there in the first place.
> > >
> > > Having the data for a full undelete option wouldn't seem too
> > > terrible either, although that might significantly increase the
> > > storage in the DIT. In the past I've had to write apps to keep
> > > that information out of band in order to put back items mistakenly
> > > removed. But I can't see
> > > why I should have to trip through all the DC's Audit logs to find
> > > the information about who deleted something given how common this
> > > type of question is. It should be recorded same as the audit log
> > > (we have the
> > > information, why not stamp it on the object at time of deletion?)
> > >
> > > Al
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of joe
> > > Sent: Friday, October 14, 2005 11:03 AM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Correct, you can currenlty only get the when and the where (DC
> > > Where not Client Where).
> > >
> > > Which raises the question. How many people would like a metadata
> > > stamp with the GUID or SID of the userid that made the
> > > modification for a given attribute (or value if appropriate)? Or
> > > would it be ok to just have who made the last change to the
> > > object? Either way, none of the "administrators group" nonsense,
> > > it points to a specific security principal.
> > >
> > >
> > >
> > > _____
> > >
> > > From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> > > [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
> > > HARTONO
> > > Sent: Friday, October 14, 2005 3:18 AM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: RE: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Hi Yann,
> > >
> > > You can find at the deletedobject folder via adfind -showdel and
> > > see the Last modified date - that would be when the object is
> > > deleted.
> > >
> > > But as for who deleted - I dont think you can find it without the
> > > auditing.
> > >
> > >
> > >
> > > Thank you and have a splendid day!
> > >
> > > Kind Regards,
> > >
> > > Freddy Hartono
> > > Group Support Engineer
> > > InternationalSOS Pte Ltd
> > > mail: freddy.hartono@xxxxxxxxxxxxxxxxxxxx
> > > phone: (+65) 6330-9740 - temp
> > >
> > >
> > >
> > > _____
> > >
> > > From: Yann [mailto:boubbha@xxxxxxxx]
> > > Sent: Friday, October 14, 2005 2:57 PM
> > > To: ActiveDir@xxxxxxxxxxxxxxxxxx
> > > Subject: [ActiveDir] Knowing when users were deleted.
> > >
> > >
> > > Hi there,
> > >
> > > I wonder if there is a way to know when a user has been deleted
> > > from AD other than using security audt, because at the time of the
> > > deletion, i forgot to activate the audit :(
> > >
> > > So my boss urge me to find the guilty user AND the time of
> > > deletion. I looked for attributes in adsi and found that there is
> > > the whencreated,
> > > whenmodified attribute but not whendeletedtimestamp one.
> > >
> > > Any idea ?
> > >
> > >
> > >
> > > _____
> > >
> > > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo!
> > > Messenger Téléchargez
> > > > > .mes
> > > senger
> > > yahoo.com> le ici !
> > >
> > >
> >
> >
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| Gil
Posts:81
| | 10/14/2005 5:06 AM |
| NetPro's ChangeAuditor for AD does this without requiring
auditing. The change log includes what was changed, before and after values,
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Thursday, October 13, 2005 11:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot to
activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| FreddyHARTONO
Posts:19
| | 10/14/2005 5:11 AM |
| *raises hand*
sid of the last modify-er would be just nice for
me.
Usually we just want to know which admin is the culprit
without analyzing 30gig of DC security log (one day log)
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: joe [mailto:listmail@xxxxxxxxxxx]
Sent: Friday, October 14, 2005 11:03 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Correct, you can currenlty only get the when and the where
(DC Where not Client Where).
Which raises the question. How many people would like a
metadata stamp with the GUID or SID of the userid that made the modification for
a given attribute (or value if appropriate)? Or would it be ok to just have who
made the last change to the object? Either way, none of the "administrators
group" nonsense, it points to a specific security principal.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Freddy
HARTONOSent: Friday, October 14, 2005 3:18 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Hi Yann,
You can find at the deletedobject folder via adfind
-showdel and see the Last modified date - that would be when the object is
deleted.
But as for who deleted - I dont think you can find it
without the auditing.
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail:
freddy.hartono@xxxxxxxxxxxxxxxxxxxx phone:
(+65) 6330-9740 - temp
From: Yann [mailto:boubbha@xxxxxxxx]
Sent: Friday, October 14, 2005 2:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot to
activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| darren.marelia@xxxx.yyy
| | 10/14/2005 5:34 AM |
| Ok, now you've done it Gil :-) I guess this is the geek
version of "dueling banjos" :-)
Quest's InTrust for Active Directory provides
detailed, real-time auditing and alerting of all changes to AD and Group Policy
Objects (GPOs), including changes to AD configuration and GPO settings. It also
provides all information behind important changes, including who made the change
and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil
KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
NetPro's ChangeAuditor for AD does this without requiring
auditing. The change log includes what was changed, before and after values,
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Thursday, October 13, 2005 11:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot to
activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| Gil
Posts:81
| | 10/14/2005 5:39 AM |
| I get to be Burt Reynolds! :)
-g
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren
Mar-EliaSent: Friday, October 14, 2005 10:33 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Ok, now you've done it Gil :-) I guess this is the geek
version of "dueling banjos" :-)
Quest's InTrust for Active Directory provides
detailed, real-time auditing and alerting of all changes to AD and Group Policy
Objects (GPOs), including changes to AD configuration and GPO settings. It also
provides all information behind important changes, including who made the change
and the before and after values all without requiring native auditing. http://wm.quest.com/products/InTrustAD/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil
KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
NetPro's ChangeAuditor for AD does this without requiring
auditing. The change log includes what was changed, before and after values,
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Thursday, October 13, 2005 11:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot to
activate the audit :(
So my boss urge me to find the guilty user AND the time of deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde avec
le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
| habr
Posts:25
| | 10/14/2005 6:56 AM |
| Gentlemen,
"WHICH IS
CHEAPER?"
LOL
RH
__________________________________
-----Original Message-----From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Darren
Mar-EliaSent: Friday, October 14, 2005 1:33 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
Ok, now you've done it Gil :-) I guess this is the geek
version of "dueling banjos" :-)
Quest's InTrust for Active
Directory provides detailed, real-time auditing and alerting of all changes to
AD and Group Policy Objects (GPOs), including changes to AD configuration and
GPO settings. It also provides all information behind important changes,
including who made the change and the before and after values all without
requiring native auditing. http://wm.quest.com/products/InTrustAD/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Gil
KirkpatrickSent: Friday, October 14, 2005 10:02 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Knowing when
users were deleted.
NetPro's ChangeAuditor for AD does this without requiring
auditing. The change log includes what was changed, before and after values,
when, where, and by whom.
See http://www.netpro.com/products/changemanager/
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
YannSent: Thursday, October 13, 2005 11:57 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: [ActiveDir] Knowing when users
were deleted.
Hi there,
I wonder if there is a way to know when a user has been deleted from AD
other than using security audt, because at the time of the deletion, i forgot
to activate the audit :(
So my boss urge me to find the guilty user AND the time of
deletion.
I looked for attributes in adsi and found that there is the whencreated,
whenmodified attribute but not whendeletedtimestamp one.
Any idea ?
Appel audio GRATUIT partout dans le monde
avec le nouveau Yahoo! MessengerTéléchargez
le ici ! | | | |
|
|