Solved

Query Active Directory (AD) for users created by "logon-name"

Posted on 2004-09-01
13
508 Views
Last Modified: 2008-05-30
Does anybody know how to query AD for all users created by "juser@mydomian.com". We have a new employee who has created a bunch of AD accounts and most are wrong, i would like to get a list of all user accounts created by "joeUser".

Thanks!
0
Comment
Question by:Drew_Mora
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 9

Expert Comment

by:BigC666
ID: 11957916
howdy,

have a look at this http://weblogs.asp.net/steveschofield/archive/2004/04/28/121857.aspx

hope that it helps
0
 
LVL 3

Expert Comment

by:joelleo
ID: 11959040
Aloha Drew Mora.

Your best bet is to parse out the security log on the domain controllers looking for successful event IDs 624 of the Security source (Account Management category.) In the User field of the event you'll see the user that created the account. Any that have mydomain\juser in the User field were created by juser@mydomain.com.

Two ways to do this:

1) Use the Event Viewer utility to search the security log on your domain controllers

Start > Run > eventvwr

Opens the Event Viewer
-Right click on the Security log & point to View
-Click Find

This opens a new window that allows you to query the log.

In the User field type the user's account name (juser, in your example). In the Event ID field, type 624. Select Security from the Source drop down list box.
-Click the Find Next button

It will take you to the first (top down) instance of the event. If you don't find any events, you might need to check a different dc as this is a per-dc effort.

Once you find an entry, look in the details and you'll see the account that he created. This is fine for a relatively small number of users, but would be cumbersome for lots of users or lots of domain controllers. If you have lots of dcs or lots of users, you might want to do #2

2) Use the Dump Event Log utility from the resource kit to dump the security log to a text file, then search the text file

At a command prompt:

dumpel -l security -f seclog1.txt -m Security -e 624 -s \\<domaincontroller>

If you know juser has only been with the organization for 30 days you can add an option to dump the last n days of the log (-d 30 would dump the last 30 days, for example.) Replace <domaincontroller> with the name of your domain controller and change seclog1.txt to seclogn+1.txt for each other domain controller in the domain.

Once you've done that, you'll have security logs from each of your domain controllers listing each and every user account created. You can use the findstr utility to look for juser:

findstr /i "mydomain\juser" seclog1.txt

would list out each entry in the seclog1.txt file that contains the string mydomain\juser. Considering the seclog1.txt file only contains ID 624 (new account creation) entries from the Security source, you'll be able to determine which users he created. Hopefully, you'll also learn about the incredibly useful dumpel tool, too ;)

Aloha and good luck.

Joel Leo
0
 
LVL 4

Expert Comment

by:ncrones
ID: 11961851

If the user accounts were all created by one user then that user will be set as the owner of the new user object (to view in AD user object properties, security tab, advanced, Owner)

All you need to do is dump AD using csvde.exe or similar tool and look for the owner attribute (ntSecurityDescriptor) and sort by that.

hope that helps

cheers

Nick

0
 

Author Comment

by:Drew_Mora
ID: 11965937
Is CSVDE.EXE part of the 2000 or 2003 resource kit?

Thanks : )
0
 
LVL 3

Accepted Solution

by:
joelleo earned 500 total points
ID: 11966082
Aloha Drew.

Ncrones has a good point. One thing to keep in mind: if juser is a member of domain admins the owner of any accounts he creates will be domain admins as opposed to juser.

Also, you can view object ownership in AD by turning on Advanced Features of the Active Directory Users & Computers tool.

From the ADU&C tool:

-Click View
-Click Advanced Features

you'll see some more objects and containers in the tool, but you'll also see a Security tab on object properties. Click on Advanced on that tab and then click the Owner tab.

hth

Joel Leo
0
 

Author Comment

by:Drew_Mora
ID: 11966273
Thanks a lot Joelleo and ncrones! I am working on the export now!

--Drew
0
 

Author Comment

by:Drew_Mora
ID: 11966509
OK, so I have an excel file, but i have no idea how to read it. Does anybody know the syntax for exporting just users? Could i get even more granular and filter by owner?
0
 

Author Comment

by:Drew_Mora
ID: 11966908
OK, so I have tried the dumpEL option with the -e 624....The file comes up blank, there are no 624 entries in the DC1, DC2, or DC3 security log. -->So then I tried the csvde.exe route, and i have a 14MB excel file that i cannot find the owner attribute in. I must really be doing something wrong here. When I did the csvde export i used the following syntax:

--> csvde --f outputDC.csv -r "(objectClass=user)"
Export complete 8629 entries exported

Thanks for all your help so far, but i must be doing something wrong....please help : )
0
 
LVL 3

Expert Comment

by:joelleo
ID: 11966994
Aloha Drew.

Do you see any entries in your security logs on the domain controllers? If auditting is turned off you won't have any entries at all, in which case the csvde route is the only route for you.

As an experiment, try creating a new user directly on a domain controller and then check the security log - you should see a successful 624 event in Security source with your username on it, along with the new user's details in the description pane. If you don't, you likely don't have auditting turned on, which can be verified using the Local Security Policy tool.

Joel
0
 

Author Comment

by:Drew_Mora
ID: 11967151
OK, so i just found out that auditing is not turned on. Thanks for your help anyhow : )

--Drew
0
 

Author Comment

by:Drew_Mora
ID: 11968687
SO now that i know that i have to use scvde.exe, please help me figure out how to export the user and the owner. I did an export and got all the user info, but i could not find the owner info anywhere in the spreadsheet.

--Thx in advance, Drew
0
 
LVL 4

Expert Comment

by:ncrones
ID: 14079406
see my earlier comment:

All you need to do is dump AD using csvde.exe or similar tool and look for the owner attribute (ntSecurityDescriptor) and sort by that.


NTSECURITYDESCRIPTOR is the attribute you want to be looking for - that is the owner attrib from memory? so something like this if u want to dump to csv from a particular OU

csvde -m -f OUTPUT.CSV -d "OU=****,OU=***,DC=***,DC=***,DC=**,DC=**" -r "(objectClass=User)" -l "DN,objectClass,cn,description,ntSecurityDescriptor,instanceType,sAMAccountName,objectCategory"
0
 
LVL 4

Expert Comment

by:ncrones
ID: 14079412
use csvde /? for the syntax
0

Join & Write a Comment

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now