Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Rogue system administrator accounts

Status
Not open for further replies.

sraveendran

IS-IT--Management
Jun 12, 2006
8
GB
Hi

Does anyone know if there is a way to find out who created a user? (already know the date created) we have serious problem here I think I know who created a load of admin accounts on the server (Windows Server 2003)but he is denying it any help would be appreciated.

Thanks

 
If you have auditing enabled on your server you should be able to track the following event's
624 User account created
639 Security enabled local group changed

Hope this helps
 
Thanks for the reply, Please see below my Auditing options. I can seem to find EVT 624 and its only show for 10/12/2007 to 11/12/2007

Audit Account management set to Success/failure

Audit Policy Change set to Success/failure

Audit Process tracking set to No Auditing

Everthing else set to failure

Is this correct setup to identify the account creator?

Thanks
 
I would also audit privilege use. As for why your logs only show a month's worth of data is because of your event log settings. I usually set the security log to a size of 528MB and to delete records every 60 days
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top