Query who has modified an Active Directory object

Hi Dennis Franz1

Do you have ACL auditing enabled on your DCs? AD does not record who changed an object, just the timestamp of the last change.

Thanks!

Hi Jeramy,

thanks for your reply. Yes ACL auditing is activ.

Hi Jeramy,

thanks a lot. I’m currently not in the office but I test it ASAP and give you a short feedback. Thanks again.

Hi Dennis Franz1

You will want to identify the specific event logs related to what objects you want to see changes on. You can always view description of the event IDs at https://www.myeventlog.com.

It could be a query as simple as the following:

SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
FROM sophos_windows_events
WHERE eventid
IN ('4728', '4732', '4735', '4737')

I wrote this quickly but you could split the data field to be more readable.

Hi Dennis Franz1

You will want to identify the specific event logs related to what objects you want to see changes on. You can always view description of the event IDs at https://www.myeventlog.com.

It could be a query as simple as the following:

SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
FROM sophos_windows_events
WHERE eventid
IN ('4728', '4732', '4735', '4737')

I wrote this quickly but you could split the data field to be more readable.

Hi Jeramy,

thanks a lot. I’m currently not in the office but I test it ASAP and give you a short feedback. Thanks again.