This query is one you are recommended to read the FULL context of the post to use. It is not simply a copy and paste query, like others in the forum. It is valuable under the right situation.
Hello,
I am not sure if I am in the right place here.
We need a query who changed an Active Directory object. E.g. who disabled or enabled a computer in AD.
There are queries for user objects but I haven't found any for computer objects.
Can someone help me out here?
Many Thanks
Hi Dennis Franz1
Do you have ACL auditing enabled on your DCs? AD does not record who changed an object, just the timestamp of the last change.
Thanks!
Hi Jeramy,
thanks a lot. I’m currently not in the office but I test it ASAP and give you a short feedback. Thanks again.
You will want to identify the specific event logs related to what objects you want to see changes on. You can always view description of the event IDs at https://www.myeventlog.com.
It could be a query as simple as the following:
SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source, provider_name, eventid, task_message, data FROM sophos_windows_events WHERE eventid IN ('4728', '4732', '4735', '4737')
I wrote this quickly but you could split the data field to be more readable.
-jk
thanks for your reply. Yes ACL auditing is activ.