trippleO7
asked on
How can you tell who created an Active Directory user object?
Is there a way to tell who created user accounts in Active Directory? I've found the attribute that tells me when the object was created (whenCreated) but is there any method to determine the creator?
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
it is tough without a 3rd party auditing product. Your one chance is by looking at the ACL for any telltale ACES and look at the owner listed on the SD. If the user had admin rights in the domain this won't work because it will say administrators
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Usually you can right click on the user object>Properties>Security >Advanced> Owner, only if it was not created by Administrator. The Object will also show you when the object was created and modified.
The only problem with security event viewer is you may need to increase the log size to record a day or two. If your DC is very busy, even with 130MB size could only record 24 hours. Any size larger than that would create viewing problem as the security event log are constant being updated. Without a realy product like MOM or a 3rd party product to manage event log would be tough.
The only problem with security event viewer is you may need to increase the log size to record a day or two. If your DC is very busy, even with 130MB size could only record 24 hours. Any size larger than that would create viewing problem as the security event log are constant being updated. Without a realy product like MOM or a 3rd party product to manage event log would be tough.
^^ right. That is why I mentioned using a 3rd party auditing tool.. the overload on the DC is not worth using normal auditing methods.
ASKER
Thanks everyone! Looks like event 624 will do the trick. I did find out that in Win2008/Vista, the event ID is now 4720 just as an FYI.
@mkline71- Very helpful link you provided...Thanks!
@gregcmsce- My DC's were all set to audit that event, so I'm guessing that was default as you mentioned. As I have not set that.
@Americom- My DC's are very busy and it does flush the old events in the log. I was going to use a clever workaround with my Vista workstation and Subscribe to these specific 624 events from my DC's. This way I was hoping it would create a local event log file on my Vista machine eliminating the size problem with the log files. Of course, I'm not 100% sure it creates a local log file, nor do I think I can subscribe to Win2003 DC events using Vista. It's a good idea so I'm trying to see if I can get it to work.
Thanks for all of the help and ideas!
@mkline71- Very helpful link you provided...Thanks!
@gregcmsce- My DC's were all set to audit that event, so I'm guessing that was default as you mentioned. As I have not set that.
@Americom- My DC's are very busy and it does flush the old events in the log. I was going to use a clever workaround with my Vista workstation and Subscribe to these specific 624 events from my DC's. This way I was hoping it would create a local event log file on my Vista machine eliminating the size problem with the log files. Of course, I'm not 100% sure it creates a local log file, nor do I think I can subscribe to Win2003 DC events using Vista. It's a good idea so I'm trying to see if I can get it to work.
Thanks for all of the help and ideas!
ASKER
Split the points as provided same solution and extra information. Thanks!
If the event logs are overwritten from DC ,than is there option to find out who has created the user account in active directory.
Regards
Regards