who deleted user?

Unanswered Question
Mar 15th, 2010

Hi there

Is it in any way possible for me to pick up who deleted a user in call manager 4.1?

The person who logged on used a generic administrator login, so that won't help.

Is it possible to check the IP address of the person who deleted a specific user?

Thanks a mil...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wgroenewald Mon, 03/15/2010 - 06:54

Also, the "users" in call manager 4.1.

Is there any reason why there would be anything really important to the operation of a Cisco VOIP environment would be listed in the user directory.

My understanding is that only users are listed here and that there is no serious damage you can do by deleting any one particular user...besides upsetting a user of course.

We have a call centre here where all CTI devices are listed in the user directory under one user. If this is deleted the entire call centre will stop working. Should this be in here?

I ask because I would like to be able to give permissions to someone to be able to keep our internal directory up to date, but I see we have users on the directory such as our call centre user. Which would cause serious issues of the person accidentally deletes it.

So...Should this really be featuring in the directory.

Aaron Harrison Mon, 03/15/2010 - 06:57


Should it? No... does it? Yep.

Since the linux versions of CCM, there are now separate 'Application' and 'End User' directories to split the two types of users you are talking about.

Unfortunately on 4.x you are stuck with the old single directory.



wgroenewald Mon, 03/15/2010 - 07:05

Thanks Aaron

So I have to hope that no one deletes those NB users! From which call manager version are these two directories seperate?

The other part of my question is, can I detect who deletes a user if they are using a generic login?

Aaron Harrison Mon, 03/15/2010 - 07:12


Seperate directories came in on v5.0 I believe.. the first linux release.

If you have MLA enabled (i.e. are logging in as CCMAdministrator) then you might see something in the MLA logs.

Otherwise you could take a look at the IIS logs (c:\winnt\system32\logfiles\w3svc). Grep/search those for references like so:

2010-03-15 14:03:36 administrator W3SVC1 CUCM-42 443 GET /ccmadmin/styles/basic.css - 304 0 141 485 0 HTTP/1.1 cucm-42 Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.0) ASPSESSIONIDWGCBASCA=KIPHPOBDFAAJOGJPBANNOPOO https://cucm-42/ccmadmin/userprefslist.asp?deleteuser=deluser

OWhere would be the client IP; administrator being the local admin in this case, and the URL listed at the end of the line suggesting that this user has pulled the userprefslist.asp page with a paremter telling the system to delete the user (deluser in this example was the deleted person).



Please rate helpful posts...



This Discussion