0
I'm trying to know what is changing one of the attribute in my active directory. Some email addresses (attribute : Mail) are changed and nobody seems to know why.
I created an audit policy in Computer Configuration> Policies> Windows Settings> Security Settings> Advanced Audit Policy Configuration> Audit Policies. I activated "account management" and "ds access". I know for a fact that these GP works, when I change the display name of a user, I get an event in my event viewer.
The issue is : it doesn't log every attributes, only this list :
Changed Attributes:
SAM Account Name
Display Name
User Principal Name
Home Directory
Home Drive
Script Path
Profile Path
User Workstations
Password Last Set
Account Expires
Primary Group ID
AllowedToDelegateTo
Old UAC Value
New UAC Value
User Account Control
User Parameters
SID History
Logon Hours
So I can't audit what I need to audit in my AD.
How can I audit the "mail" field of my users?
I don't think it's exchange itself : some users are in O365, other in exchange.
We have the same problem en three different OU.
some are personal account, other are system account.
With the command repadmin /showobjmeta, I Pint pointed the DC where the change is originating, but I don't know how to trace it further.
Thanks in advance for your kind answers.
Thomas Alsteens
Posted 2018-03-29T12:44:27.420
Reputation: 1
How is the email address changing? There has to be a clue there as to why or what. I strongly suspect there is a pattern you can pick up on. Do you have AD Connect installed for Office 365? Have you modified the sync rules? AD Connect is fully capable of changing this data if sync rules have been created that touch the email address field. – Appleoddity – 2018-03-29T12:50:04.390
That's the thing, there is no pattern I can pickup. One has the number of "e" in his name increased (from tee to teee"), other has the email address from an other user which has a name that kind of looks like hers, but is definitely different, it's really strange. I didn't say it, but I disabled the "Automatically update email addresses based on the email address policy applied to this recipient " for some users and the problem persists for them. – Thomas Alsteens – 2018-03-29T12:59:43.647
Can you answer the questions about AD Connect? This is a commonly used component with Office 365. If an admin attempted to create their own sync rules, it sounds like there is a bug in it. That is my guess. I bet there is a sync process or script that was setup by an admin to try to automatically populate the email address field based on their exchange or office 365 properties and it isn’t working right. – Appleoddity – 2018-03-29T15:01:07.137
we indeed have an AD connect, but I have no control over it. I contact the correct team and check with them. Thanks in advance for your answer. I'll keep this post updated as soon as I have more info. – Thomas Alsteens – 2018-03-30T09:34:26.483