Finding who Changed a Property of a Active Directory User in Powershell
-
We recently received some weird Azure errors due to one of our desktop support people (I think?) changing the UserPrincipleName to a sentence they were typing to a co-worker. The E-mail contained the error which showed the UPN was
"oh waitshared calendars or the docctors [email protected]"My first step was to search for that UPN via Powershell:
Get-ADUser -Filter {UserPrincipalName -like 'oh wait*'}That led to the account in question.
I then ran:
Get-ADUser -identity username -property *I can see it was edited at 9:10 AM yesterday, but I can't see who edited it. Does anyone know of a way I can see the user who changed this via powershell?
-
I’m pretty sure you’d need third party auditing like netwrix auditor for AD for that level of logging.
-
@nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on
-
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on
that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.
-
@Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@nadnerB You can do it via Group Policy I believe. I also think the default windows server auditing allows you to see this. I'm just wondering how you would view it in powershell if you can or if it would automatically be included if auditing is turned on
that's just it - I don't think anyone here knows if auditing for something like that is even turned on by default. The audit history goes into the Event Viewer though (I'm pretty sure at least) so you'd have to search that for the change.
It's not on by default for sure
-
I'm pretty sure you can turn on auditing, but something like the netwrix app helps aggregate all that additional data into useful results.
-
@RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:
I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.
I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.
-
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:
I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.
I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.
it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.
-
@Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:
I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.
I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.
it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.
No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.
-
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:
I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.
I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.
it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.
No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.
Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!
What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?
-
@Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@Dashrender said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@RojoLoco said in Finding who Changed a Property of a Active Directory User in Powershell:
I'm pretty sure you can turn on auditing, but something like the Netwrix app helps aggregate all that additional data into useful results.
I've generally been told my co-workers over the years to never have auditing enabled because it destroys performance. I have no idea if this is true because frankly no company I've ever worked at has used it--including the one I am at now.
it is true to a point - though destroy I guess would be more depending on how taxed the system is already. You'd have to get a baseline with it disabled, then enable it and look at how much new strain there is.
No one is going to accept a performance hit with the premiums we are paying. Seems like an unsolvable problem. I priced out Netwrix and I can already see it's going to be an immediate no.
Well this is a one off issue - so yeah, spending money to solve this one issue seems crazy. especially with the prices for that shit!
What premium are you paying? Are the VM's not locally hosted on hardware you own? Is there no overhead on those servers? i.e. they are all running at 100% utilization? or near so?
We have millions of dollars worth of VXRail servers in our data center. They are just not going to want to take any performance hit whatsoever
-
On prem or off prem? If onprem, look at the audit log in event viewer. If Azure, go into Azure ad audit logs. Both will tell you exactly who changed what.
-
@Obsolesce It's only contained in event viewer if you have auditing enabled, correct?
-
Wouldn't be easier to see who sent that email or updated the ticket with that info?
-
@wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format
-
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format
Right, but they were typing that sentence to someone. Was it in a logged conversation?
-
@wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format
Right, but they were typing that sentence to someone. Was it in a logged conversation?
I'm not allowed to search people's e-mails. It might be though
-
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format
Right, but they were typing that sentence to someone. Was it in a logged conversation?
I'm not allowed to search people's e-mails. It might be though
Just saying that someone who was allowed could do that.
-
@wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@wrx7m said in Finding who Changed a Property of a Active Directory User in Powershell:
@wirestyle22 said in Finding who Changed a Property of a Active Directory User in Powershell:
@wrx7m It's just an auto-generated e-mail telling me that Azure can't sync the user because the UserPrincipleName is in the wrong format
Right, but they were typing that sentence to someone. Was it in a logged conversation?
I'm not allowed to search people's e-mails. It might be though
Just saying that someone who was allowed could do that.
No one is unfortunately. We have to have a reason to go look. Would need to be approved by my boss. I have access to do it, but I am now allowed.
-
This post is deleted!
