Hi All,
We have 4 Domain controllers and we use CyberArk PAM to protect the privileged user login.
Some one from the AD Mgmt team lave logged in to one of the AD server (DC01) and accessed JAVA Ldap browser and did regular cleanup of already deleted users.
The JAVA LDAP browser is pre-configure with an Admin account who has full rights to an OU (OU=CHN, OU=Archive). Under this OU, there are around 200K users.
We had an INCident today that around 10K users were deleted within 10 minutes from OU=CHN, during that time one of my team member was doing the cleanup. But he says that he deleted only the already deleted users from OU=Archive container.
There is no session recording or any logs further to verify it.
Is it possible from AD Event Viewer whether any OU deletion was executed by that user?
If he would have done deleting the OU=CHN, it would have initiated deleting the child user objects first and at last it would delete the OU=CHN. This is my assumption and syspect.
To prove that, can this delete OU event be recorded in event viewer?
In event viewer, I can see logon,logoff, and 10K delete events from the service account that is preconfigured in LDAP Browser.
But I want to see which exactly whether he had done deleting the OU=CHN or not...
Kindly help.
Thanks
DK