> "Kit" <Kit[ at ]discussions.microsoft.com> wrote in message
> news:4D465C64-B0F4-407C-A705-E18BAAF1AC56[ at ]microsoft.com...
> > This week I have been using scripts to pull workstations in to WSUS that
> > were
> > not reporting. I have a deadline to meet for a security report. I feel
> > one
> > of the Security Administrator's is up to malious activity.
> >
> > On Tuesday I had my Server's group disappear. I asked the 2 other WSUS
> > administrators they said no and I believe them.
> >
> > Today when I was on the server now the workstations group disapeared.
>
> I would agree.. something "suspicious" is definitely happening, because
> groups do not disappear without human assistance.
>
>
> > How do I search the Logs to see who has been on WSUS?
>
> With WSUS 3.0, you can find a full audit trace of WSUS Admin activity in the
> logfile at:
> %ProgramFiles%\Update Services\Logfiles\Change.log
>
> > How do I search the Logs to be able to prove who deleted this group?
>
> The Change.log is a chronology of all administrative actions performed in
> the WSUS application; however, unless these actions were performed in the
> context of a user-specific account (e.g. not the local Administrator account
> or the DomainAdmin account), the logfile won't be of much help -- except to
> identify the *when* something occurred..
>
>
>
>
>
> --
> Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website:
http://www.microsoft.com/wsus> My Websites:
http://www.onsitechsolutions.com;>
http://wsusinfo.onsitechsolutions.com> My MVP Profile:
http://mvp.support.microsoft.com/profile/Lawrence.Garvin>