20,212 questions
How to find who changed a users' Manager in AD
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 77%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
Moore, Eric
21
Reputation points
The attribute "manager" was recently altered for a member of our C-Suite recently. Needless to say the change was unauthorised, so we're trying to find who made what we hope is a genuine mistake ;). We have advanced audit policies configured, and Account Management Audit is enabled. We see eventCode 4738 frequently. However, this audit policy does not appear to cover amendments to the field "manager". We have tested some controlled cases today and nothing.
What should be set to capture changes to this field?
AD running on W2019 in Forest and Domain 2012 Functional Mode.
Windows for business | Windows Server | User experience | Other
Sign in to answer