Hi
A domain account was sabotaged in my environment and I have been tasked to discover who did it.
I have about 60 DC's in a geographically dispersed private cloud running WIN2K3. Admins are granted a high level of trust where as pretty much all of them have domain admin rights.
It appears that someone with high level admin rights has modified another users group memberships.
I have attempted search through the logs on one of the DC's without success.
thousands of security logs and a search for the users name returns nothing.
it would be perfect if there is a tool similar to lockoutstatus.exe
I have tried using EventCombMT, but after a very long search no useful information was returned (I simply don’t know how to use it)
Any help would be greatly appreciated
Doug