Hello coleagues Could You help me find a humorist who detached server from the domain please? Could it be done with powershell equipment, may be somewhere in wmi objects... I was looking in security logs – nothing was found.
thanks a lot
by DonJ at 2013-04-01 12:03:56
If you're not auditing that event, there isn't any way to tell. If you are, it'll be in your Security event log. That's the only place it would be recorded.
by lopyeg at 2013-04-01 12:26:42
thank a lot. it seems to stay uknown( how can I close or remove the topic, if it is possible.?
by coderaven at 2013-04-01 13:47:06
There may be other ways.
1. Check the terminal services log and see if they did it through terminal services, the computername would be in the message, I assume they used local administrator 2. If your DCs are auditing change events, the message should have been logged on one of the site DCs of the removal and what account that was used to do it and it would help if the use did not use a service account or something like that. 3. Check for printer connections as well, again if they used terminal services, a printer connection would have been made if the system connecting had printers.
Looking at the system log on the system, you know the time that it was removed from the domain, use that time to help searching DCs and other logs.