Using search "SecurityNik" produced " 28,376 events (before 7/10/15 11:13:04.000 AM)" results.
The above starts across "All Time"
From below, we see that on "07/08/2015 06:31:55 PM" "SecurityNik" account was disabled by user "OtherAdmin" on computer "SecurityNik_DC.securitynik.com". "SecurityNik_DC.securitynik.com" is one of the Domain Controllers.
07/08/2015 06:31:55 PM
EventCode=4738
Message=A user account was changed
ComputerName=SecurityNik_DC.securitynik.com
Subject:
Security ID: SECURITYNIK\OtherAdmin
Logon ID: 0x13309228
Target Account:
Security ID: SECURITYNIK\SecurityNik
Old UAC Value: 0x10210
New UAC Value: 0x10211
User Account Control: Account Disabled
Below shows that the account "SecurityNik" was disabled on "03/13/2015 11:27:03 AM" by user "SecurityAdmin". While above it was disabled on the Domain Controller "SecurityNik_DC.securitynik.com", in this case it was disabled on "SECURITYNIK_TS".
03/13/2015 11:27:03 AM
EventCode=4738
Message=A user account was changed
ComputerName=SECURITYNIK_TS
Subject:
Security ID: SECURITYNIK_TS\SecurityAdmin
Logon ID: 0x85817e4d
Target Account:
Security ID: SECURITYNIK_TS\SecurityNik
Old UAC Value: 0x10
New UAC Value: 0x11
User Account Control:
Account Disabled
Analyzing "SECURITYNIK_TS"
running the command "C:\>net user | findstr /i SecurityNik" determined that the user "SecurityNik" has an account on "SECURITYNIK_TS"Learning more about account "SecurityNik"
running "C:\>net user SecurityNik" shows (none relevant information extracted)User name SecurityNik
Full Name SecurityNik
Account active No
Last logon 7/20/2014 10:42:40 PM
The information above confirms that the "SecurityNik" account is disabled on computer "SECURITYNIK_TS"
"SecurityNik" account being enabled on "SECURITYNIK_TS"
Below shows that "SecurityNik" account was enabled on "SECURITYNIK_TS" by user "SecurityAdmin". Please note this "SecurityAdmin" account is for the local machine and not the Domain.06/10/2014 04:38:00 PM
EventCode=4738
ComputerName=SECURITYNIK_TS
Message=A user account was changed.
Subject:
Security ID: SECURITYNIK_TS\SecurityAdmin
Logon ID: 0x4a072799
Target Account:
Security ID: SECURITYNIK_TS\SecurityNik
User Account Control:
Account Enabled
"SecurityNik" account being enabled on "SecurityNik_DC.securitynik.com"
Below shows that the account "SecurityNik" was enabled on "06/10/2014 10:12:52 AM" by user "OtherAdmin."06/10/2014 10:12:52 AM
EventCode=4738
ComputerName=SecurityNik_DC.securitynik.com
Message=A user account was changed.
Subject:
Security ID: SECURITYNIK\OtherAdmin
Logon ID: 0xa6644425
Target Account:
Security ID: SECURITYNIK\SecurityNik
User Account Control:
Account Enabled
The findings at this point is that for the domain "securitynik.com" user "SecurityNik" was last enabled on "06/10/2014 10:12:52 AM" by account "OtherAdmin". In addition, the account for "SecurityNik" was also enabled on computer "SECURITYNIK_TS" by account "SecurityAdmin"
Just did the same twice today. Splunk is an amazing tool.
ReplyDeleteAntDun,
DeleteGlad you found this post helpful.