Submitting forms on the support site are temporary unavailable for schedule maintenance. If you need immediate assistance please contact technical support. We apologize for the inconvenience.
How to create a search for the event(s) associated with an Active Directory Group account that was deleted
Description
An administrator needs to find the events associated with an Active Directory Group account that was deleted.Not able to target the account by browsing the subsystem objects (per KB73437) since the account was already removed.
Cause
When an Group object is deleted in active directory the event that is captured is “Group object removed” this is because the object is hidden and not actually physically deleted (for 60 days).
Resolution
Follow the steps below to target those Event Classes for a specific account:
Open the Change Auditor Client and select the “Search” tab
Click "New" in the Button Bar menu to create a new search
Select the “What” tab in the report properties section at the bottom
Click the “Add” button and type “user” in the filter section of the Event Class column
Select “group changed” and “user object removed”
Click the “Add” button in the lower pane to move your selection to the parameter section and click "OK
Under the What tab click the drop down arrow to the right of the +Add With Events
Select “Subsystem” | “Active Directory” from the context menu
Under Object where it says 'Click here to filter data...' click the A icon and change the filter to 'Contains'
Enter all or part of the group name until you see a corresponding entry in the lower section
Click “Add” to move the entry to the filter list below then click “OK”
Now run the search.
Or alternatively
Under the What tab click the drop down arrow to the right of the +Add under the “What” tab.
Select “Subsystem” | “Active Directory” from the context menu.
Change the Scope: to This Object.
Enter all or part of the group name between asterisks in the field to the right of the “LIKE” operator in the lower section
Click “Add” to move the entry to the filter list below then click “OK”
Now run the search.
To return all events for the deleted user object for a specific time frame:
On the What tab click Add
Under Event class type group changed or group object removed and click Add
Select the Layout tab
Under Unselected Columns type Description
Click the > arrorw to add it to the Selected Columns
Run the Search
When the results are returned click the 'A' icon under the Description column and select Contains
Type the name of the group
Double click the event that shows the original OU for the group
In the menu bar in the bottom pane click Related Search and select the group name (second entry from the bottom)
Your Request will be reviewed by our technical reviewer team and, if approved, will be added as a Topic in our Knowledgebase.
Recommended Content
Product(s):
Change Auditor
7.3, 7.2, 7.1.1, 7.1
Topic(s):
How To
Article History:
Created on: 2/10/2016 Last Update on: 5/7/2023
Thank you for your feedback for Topic Request
Your Request will be reviewed by our technical reviewer team and, if approved, will be added as a Topic in our Knowledgebase.
Welcome to Quest Support
You can find online support help for Quest *product* on an affiliate support site. Click continue to be directed to the correct support content and assistance for *product*.
The Quest Software Portal no longer supports IE8, 9, & 10 and it is recommended to upgrade your browser to the latest version of Internet Explorer or Chrome.