it should be listed as a config change in the machine audit?
Nope. These are the last two lines of the machine audit:
01/05/2010 10:04:01 AM,0x04000001,"[username]" (ID=00001107\Type=00000001),Logon successful
01/05/2010 10:16:24 AM,0x01000014,N/A,Check for configuration updates
I was hoping it recorded the user that removed the encryption.
The client files was version 5.1.7.
they are from the client, you need to work up until you find who did the object update.
Dump audit logs for all your EEM administrators. Then search ID of machine in question.
1 of 1 people found this helpful
you need to look for an "update object" event (0x01000089) for the machine in question. No need to dump all the audit for users, just that one event.
then you can look for the machine id and see who made the change.
Sure you can narrow it down that way, but sometimes is useful to know also other event types for this machine.
Dumping audit log for group(s) of administrators does not take long, so I do not see benefit of filtering events.