Hello, Even though I have success/failure enabled on local policies/audit policy within our default domain controllers GPO, Is there a way to find out who/what is modifying a users phone numbers attributes? There are some imports that do happen on a nightly basis etc, but i'm trying to narrow down the account/source. Thanks in advance.

You need to set the audit policy in the Default DOMAIN GPO, then configure auditing of the objects in AD. Read these for more information. Recommended Default Domain Audit Policy http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Recommended%20Default%20Domain%20Audit%20Policy.aspx Recommended Active Directory Audit Policy http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/Recommended%20Active%20Directory%20Audit%20Policy.aspx

Thanks Gunner, Actually all of those polices are currently in place both at the Default Domain and AD Audit Policy.

Then you should see the audit event. How are you looking for it? I would find the LDAP property name being changed and search for that in the description, or you could search for the account name being modified in the desciption. If its all configued correctly, finding the event is what most admins have trouble with.

I have been looking for 642, 625 events in the security logs on our domain controllers. If there is a better way to search say via freeware etc, I'm willing to try that out! It just seems that there are no events tied to the account in question other than logon/logoffs. Thanks again.

If all you are seeing are logon/logoff events, then your auditing is not properly enabled. Its not difficult to setup auditing, but you need to review the configuration again more slowly and verify everything. Use the various GPO tools (gpresult.exe and GP Resultant Set of Policy MMC, etc) to verify settings and configuration. Obviously something is wrong in configuration, you need to figure that out.

Sorry I should have been more clear, I do see modifications, its just that I do not see modification on the account in question. I do see it for things like name changes, password sets etc, etc. Just nothing that lets me know a phone number has been changed. I wil go back through the auditing setup, but I'm wondering if this type of change is simply not shown in a 2003 environment.

This should be captured as a change to the user account. So its one of two problems at this point. 1) You are mistakenly searching for the wrong thing. The most productive search for people to do is to search the description field ONLY for the useraccount name, then review each event in the given time frame that the change was made. This is the best search because users unknowingly/mistakenly search for the wrong events and miss stuff. 2) Auditing is not enabled directly on the object or the OU the object is in. Again check your auditing configuration directly on the object this time. Enable auditing on EVERYTHING for this object/OU if needed.

I will check it out Gunner, I appreciate all of your help and will update this thread once I find it. Thanks again.