I've turned on Audit Account Management to monitor for deletion of user accounts from Active Directory. Can I view these events in the Security log on the domain controller? We have two domain controllers - will the event be in both logs, or will I need to check both machines? What Category should I be looking for?
I ask because I have a recurring problem where a SharePoint list stops receiving email. This is because some user/process/gremlin is deleting the email alias account in Active Directory every so often. This has just happened again and I would like to see the event recorded in a log so I can identify the user/process/gremlin.
Edit
This is a Contact, not a User. I don't know if that makes a difference...
Security events show up in the Log of the DC that was used to process the request, so which ever DC was used to verify the accounts privilages. So you will need to check both DC's.
You can use the free Event Comb tool, included in the server 2003 resource kit, this can gather specific events from multiple computers and display them in one place.
You'll need to check both. You are looking for event ID 630 in the category Account Management. Here's the reference as to the format of the event record, in case you are parsing this automatically via a script:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=630