AD User Creation...

  • Thread starter Thread starter Fraser Shortt
  • Start date Start date
F

Fraser Shortt

Hi everyone,

Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods to
find this info.

Is there a way to find this info?

Thanks in advance,
FS
 
Fraser Shortt said:
Hi everyone,

Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods to
find this info.

Is there a way to find this info?

Thanks in advance,
FS
Click to expand...


There is a whenCreated attribute of AD objects, but nothing in AD tracks who
created the object, unless you have enabled auditing.
 
Hello Fraser,

Enable Auditing for account management in a GPO on the DC's OU. Then you
can find it in the event viewer. Computer configuration, windows settings,
security settings, local policies, Audit policy.

See here about the event id's:
http://www.ultimatewindowssecurity.com/Encyclopedia.aspx?catId=11

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
Howdie!

Fraser said:
Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods to
find this info.
Click to expand...

Richard's right. You can easily pull the whenCreated information out of
the directory, the creator however is not stored there. What you can do
is turn on auditing on directory service objects and then crawl through
the eventlog's "Security" log on every DC to see who made a change.

cheers,

Florian
 
Thanks to everyone for responding.

I reviewed the security logs, but unfortunately I have the overwrite events
as necessary feature enabled so I can't find anything older than two weeks.

I guess I'm out of luck.

Fraser

Florian Frommherz said:
Howdie!

Fraser said:
Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods
to find this info.
Click to expand...

Richard's right. You can easily pull the whenCreated information out of
the directory, the creator however is not stored there. What you can do is
turn on auditing on directory service objects and then crawl through the
eventlog's "Security" log on every DC to see who made a change.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Click to expand...
 
Back
Top