Hello,
I have setup Active Directory Auditing (Creation/Deletion/Password Change) and tested with a couple of test users and all the results (Creation/Deletion/Password Change) appeared on Security Logs (4720/4726/4724) accordingly (Set Custom Filter="Anytime")
and deployed in the working environment and retested. Everything was OK and appeared all corresponding logs though this Morning I noticed all the previous logs were disappeared. (shows only today's logs). Where can I find all those custom filtered logs and
events?
I have several Domain Controllers and all DCs (7 of them) are enabled for Active Directory Auditing and configured "Event Subscriptions" to collect all Active Directory related logs from all DCs. Because of the logs (deletion/creation/Passord
Changes) are reported to the Domain Controller where the client machines are authenticated, it is still bit hard to find out who has deleted/created/updated the user account since We have 7 of Event Subscriptions (need to go every subscribed event
to search) Is there any way to concatenate all the subscription to one?
Thanks in advance,
Akira Sekine