Questions

Is there a way to trace who changed my password in Active Directory??

+
0 Votes
Locked

Is there a way to trace who changed my password in Active Directory??

monkeygirl
I have a major problem and need help clearing my name!! I have been off sick for 3 months, just before I went off sick a laptop went missing from the office.
Somebody then logged onto the companies network via VPN using this laptop and using my username and password a few weeks later.

Is there any way that can trace who changed my password in Active Directory and when this was changed, the problem being that my password has now been reset by a senior member of IT after the security breach, so they now can't see the last time my password was changed (which I know you can check).

I have worked for this company for some time and would like to make certain that my name is cleared for the theft. (I also know that if I had stolen a laptop the last thing I would have done would be to logon to the companies network as this is all picked up by Landesk!!!)

I think the laptop has been taken by someone in the IT department, so they would have had access to AD to change my password.
  • +
    0 Votes
    Wizard-09

    Ok 1st thing 1st why would someone from the I.T department want to steal a laptop to change a password in AD, this could have been done from there computer or another within the network.

    If someone logged in using VPN then there are logs of this, you may be able to gain the IP of the remote connection, trace it then connect the ISP to find out who was released that address.

    +
    0 Votes
    monkeygirl

    I think the password was changed when the person who took the laptop was in the office. The laptop was assigned to me but was being used by a few members of the team. I have suspicions who took it, I just need to prove it without pointing the finger and accusing someone without evidence.

    I'm basically being stitched up for the theft..

    +
    0 Votes

    Then it is time for you to start pointing your finger to show that you did not take the laptop in question and you better start doing it fast so that the police can be involved and the laptop can be found and returned. If you do not do this, you will be the one that everyone will be pointing their finger at.
    So if you did not do it, it is about time to get the ball rolling and to clear your name in the process. This does not answer your question from your post, but from the legal point of view you need to act now.

    +
    0 Votes
    Wizard-09

    Ok so is the laptop see missing or has it been returned.

    Was the password changed on the laptop or was it changed in AD for all systems.

    I just dont get way anyone would steal the laptop most people in I.T get there own work laptop to deal with problems out of hours.

    I don't think you will get the person who took the laptop unless you have CCTV in the office or building its going to be a hard one i would not worry about it unless your getting in trouble over it, the best thing to do is put your case across and hope they see it was not you.

    +
    0 Votes
    monkeygirl

    The laptop is still missing, and the password would have had to have been changed in AD to logon to the network remotely.

    We don't all get a laptop to use, as most of the team work on the service desk. I get one because I do work out of hours.

    +
    0 Votes
    jdclyde

    for them to pull the IP address that was VPN'ed from, and compare it to your IP at home.

    Will either clear you, or put the last nail in your coffin.

    +
    0 Votes
    Beoweolf

    1. when going on extended leave, it is reasonable to either get permission to take the Laptop home, in case you are called upon to perform some business function while 'out'. Otherwise, it would have been wise to "formally" turn it in to supervisor/manager, to remove your name from any responsiblity. We all know there are some members of staff that have "flexible ethics" - while they may not have larson in their hearts, give a win-win opportunity...they will take full advantage.
    2. I wonder why this was not noted as a matter of routine log evalutation - becoming a problem only after your return? This should have been caught immediately; a). you were on leave, should not be logging in, your account should have been disabled (by you when you left or by staff as a matter of due diligence, if you are/were not expected to dial in).
    3). Logs, according to how long they are stored, can determine the date/time, incoming IP or phone, as well as other information. Anyone of which should have cleared your name immediately. If this issue has continued to fester, it would seem there may be some evidence that supports their case.

    Your options are simple; if you wish to keep the position, acknowledge the responsiblity (but not the theft)- do what is needed to restore your name in other ways. Or, as a matter of honor, clean up your resume and seek employment elsewhere. If your record of years of unblemished service did not insulate you from suspicion - you are due for even more suspicion in future. It best to leave on your own terms rather than wait for the next shoe to drop.

  • +
    0 Votes
    Wizard-09

    Ok 1st thing 1st why would someone from the I.T department want to steal a laptop to change a password in AD, this could have been done from there computer or another within the network.

    If someone logged in using VPN then there are logs of this, you may be able to gain the IP of the remote connection, trace it then connect the ISP to find out who was released that address.

    +
    0 Votes
    monkeygirl

    I think the password was changed when the person who took the laptop was in the office. The laptop was assigned to me but was being used by a few members of the team. I have suspicions who took it, I just need to prove it without pointing the finger and accusing someone without evidence.

    I'm basically being stitched up for the theft..

    +
    0 Votes

    Then it is time for you to start pointing your finger to show that you did not take the laptop in question and you better start doing it fast so that the police can be involved and the laptop can be found and returned. If you do not do this, you will be the one that everyone will be pointing their finger at.
    So if you did not do it, it is about time to get the ball rolling and to clear your name in the process. This does not answer your question from your post, but from the legal point of view you need to act now.

    +
    0 Votes
    Wizard-09

    Ok so is the laptop see missing or has it been returned.

    Was the password changed on the laptop or was it changed in AD for all systems.

    I just dont get way anyone would steal the laptop most people in I.T get there own work laptop to deal with problems out of hours.

    I don't think you will get the person who took the laptop unless you have CCTV in the office or building its going to be a hard one i would not worry about it unless your getting in trouble over it, the best thing to do is put your case across and hope they see it was not you.

    +
    0 Votes
    monkeygirl

    The laptop is still missing, and the password would have had to have been changed in AD to logon to the network remotely.

    We don't all get a laptop to use, as most of the team work on the service desk. I get one because I do work out of hours.

    +
    0 Votes
    jdclyde

    for them to pull the IP address that was VPN'ed from, and compare it to your IP at home.

    Will either clear you, or put the last nail in your coffin.

    +
    0 Votes
    Beoweolf

    1. when going on extended leave, it is reasonable to either get permission to take the Laptop home, in case you are called upon to perform some business function while 'out'. Otherwise, it would have been wise to "formally" turn it in to supervisor/manager, to remove your name from any responsiblity. We all know there are some members of staff that have "flexible ethics" - while they may not have larson in their hearts, give a win-win opportunity...they will take full advantage.
    2. I wonder why this was not noted as a matter of routine log evalutation - becoming a problem only after your return? This should have been caught immediately; a). you were on leave, should not be logging in, your account should have been disabled (by you when you left or by staff as a matter of due diligence, if you are/were not expected to dial in).
    3). Logs, according to how long they are stored, can determine the date/time, incoming IP or phone, as well as other information. Anyone of which should have cleared your name immediately. If this issue has continued to fester, it would seem there may be some evidence that supports their case.

    Your options are simple; if you wish to keep the position, acknowledge the responsiblity (but not the theft)- do what is needed to restore your name in other ways. Or, as a matter of honor, clean up your resume and seek employment elsewhere. If your record of years of unblemished service did not insulate you from suspicion - you are due for even more suspicion in future. It best to leave on your own terms rather than wait for the next shoe to drop.