AD User Creation...

F

Fraser Shortt

Hi everyone,

Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods to
find this info.

Is there a way to find this info?

Thanks in advance,
FS
 
R

Richard Mueller [MVP]

Fraser Shortt said:
Hi everyone,

Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods to
find this info.

Is there a way to find this info?

Thanks in advance,
FS
Click to expand...


There is a whenCreated attribute of AD objects, but nothing in AD tracks who
created the object, unless you have enabled auditing.
 
M

Meinolf Weber

Hello Fraser,

Enable Auditing for account management in a GPO on the DC's OU. Then you
can find it in the event viewer. Computer configuration, windows settings,
security settings, local policies, Audit policy.

See here about the event id's:
http://www.ultimatewindowssecurity.com/Encyclopedia.aspx?catId=11

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
 
F

Florian Frommherz [MVP]

Howdie!

Fraser said:
Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods to
find this info.
Click to expand...

Richard's right. You can easily pull the whenCreated information out of
the directory, the creator however is not stored there. What you can do
is turn on auditing on directory service objects and then crawl through
the eventlog's "Security" log on every DC to see who made a change.

cheers,

Florian
 
F

Fraser Shortt

Thanks to everyone for responding.

I reviewed the security logs, but unfortunately I have the overwrite events
as necessary feature enabled so I can't find anything older than two weeks.

I guess I'm out of luck.

Fraser

Florian Frommherz said:
Howdie!

Fraser said:
Our network has several domain admins. I want to determine who created a
user and when? Unfortunately, I haven't seen any quick and easy methods
to find this info.
Click to expand...

Richard's right. You can easily pull the whenCreated information out of
the directory, the creator however is not stored there. What you can do is
turn on auditing on directory service objects and then crawl through the
eventlog's "Security" log on every DC to see who made a change.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Adding Computer To AD 1
Windows Server What can Active Directory Do? 6
Windows cannot determine the user or computername Return valus 135 1
Permissions not applied to every user 4
Windows 2000 and GPO 3
Account Operators Group 15
Login Script help 2
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2

Top