Friday, January 13, 2006

Finding where a user was deleted

A blog I review posted 3 steps that show who deleted a user account.


  1. adfind -default -showdel -f (isdeleted=TRUE) -gc

  2. repadmin /showobjmeta dcname deletedobjectDN find /i "isdeleted"

  3. Eventcomb to find event id in security logs.

      4. a. psloglist \\dcname security -i 630 -a date.


Link
Posted by at