Solved

Query Active Directory (AD) for users created by "logon-name"

Posted on 2004-09-01
13
511 Views
Last Modified: 2008-05-30
Does anybody know how to query AD for all users created by "juser@mydomian.com". We have a new employee who has created a bunch of AD accounts and most are wrong, i would like to get a list of all user accounts created by "joeUser".

Thanks!
0
Comment
Question by:Drew_Mora
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 9

Expert Comment

by:BigC666
ID: 11957916
howdy,

have a look at this http://weblogs.asp.net/steveschofield/archive/2004/04/28/121857.aspx

hope that it helps
0
 
LVL 3

Expert Comment

by:joelleo
ID: 11959040
Aloha Drew Mora.

Your best bet is to parse out the security log on the domain controllers looking for successful event IDs 624 of the Security source (Account Management category.) In the User field of the event you'll see the user that created the account. Any that have mydomain\juser in the User field were created by juser@mydomain.com.

Two ways to do this:

1) Use the Event Viewer utility to search the security log on your domain controllers

Start > Run > eventvwr

Opens the Event Viewer
-Right click on the Security log & point to View
-Click Find

This opens a new window that allows you to query the log.

In the User field type the user's account name (juser, in your example). In the Event ID field, type 624. Select Security from the Source drop down list box.
-Click the Find Next button

It will take you to the first (top down) instance of the event. If you don't find any events, you might need to check a different dc as this is a per-dc effort.

Once you find an entry, look in the details and you'll see the account that he created. This is fine for a relatively small number of users, but would be cumbersome for lots of users or lots of domain controllers. If you have lots of dcs or lots of users, you might want to do #2

2) Use the Dump Event Log utility from the resource kit to dump the security log to a text file, then search the text file

At a command prompt:

dumpel -l security -f seclog1.txt -m Security -e 624 -s \\<domaincontroller>

If you know juser has only been with the organization for 30 days you can add an option to dump the last n days of the log (-d 30 would dump the last 30 days, for example.) Replace <domaincontroller> with the name of your domain controller and change seclog1.txt to seclogn+1.txt for each other domain controller in the domain.

Once you've done that, you'll have security logs from each of your domain controllers listing each and every user account created. You can use the findstr utility to look for juser:

findstr /i "mydomain\juser" seclog1.txt

would list out each entry in the seclog1.txt file that contains the string mydomain\juser. Considering the seclog1.txt file only contains ID 624 (new account creation) entries from the Security source, you'll be able to determine which users he created. Hopefully, you'll also learn about the incredibly useful dumpel tool, too ;)

Aloha and good luck.

Joel Leo
0
 
LVL 4

Expert Comment

by:ncrones
ID: 11961851

If the user accounts were all created by one user then that user will be set as the owner of the new user object (to view in AD user object properties, security tab, advanced, Owner)

All you need to do is dump AD using csvde.exe or similar tool and look for the owner attribute (ntSecurityDescriptor) and sort by that.

hope that helps

cheers

Nick

0
 

Author Comment

by:Drew_Mora
ID: 11965937
Is CSVDE.EXE part of the 2000 or 2003 resource kit?

Thanks : )
0
 
LVL 3

Accepted Solution

by:
joelleo earned 500 total points
ID: 11966082
Aloha Drew.

Ncrones has a good point. One thing to keep in mind: if juser is a member of domain admins the owner of any accounts he creates will be domain admins as opposed to juser.

Also, you can view object ownership in AD by turning on Advanced Features of the Active Directory Users & Computers tool.

From the ADU&C tool:

-Click View
-Click Advanced Features

you'll see some more objects and containers in the tool, but you'll also see a Security tab on object properties. Click on Advanced on that tab and then click the Owner tab.

hth

Joel Leo
0
 

Author Comment

by:Drew_Mora
ID: 11966273
Thanks a lot Joelleo and ncrones! I am working on the export now!

--Drew
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:Drew_Mora
ID: 11966509
OK, so I have an excel file, but i have no idea how to read it. Does anybody know the syntax for exporting just users? Could i get even more granular and filter by owner?
0
 

Author Comment

by:Drew_Mora
ID: 11966908
OK, so I have tried the dumpEL option with the -e 624....The file comes up blank, there are no 624 entries in the DC1, DC2, or DC3 security log. -->So then I tried the csvde.exe route, and i have a 14MB excel file that i cannot find the owner attribute in. I must really be doing something wrong here. When I did the csvde export i used the following syntax:

--> csvde --f outputDC.csv -r "(objectClass=user)"
Export complete 8629 entries exported

Thanks for all your help so far, but i must be doing something wrong....please help : )
0
 
LVL 3

Expert Comment

by:joelleo
ID: 11966994
Aloha Drew.

Do you see any entries in your security logs on the domain controllers? If auditting is turned off you won't have any entries at all, in which case the csvde route is the only route for you.

As an experiment, try creating a new user directly on a domain controller and then check the security log - you should see a successful 624 event in Security source with your username on it, along with the new user's details in the description pane. If you don't, you likely don't have auditting turned on, which can be verified using the Local Security Policy tool.

Joel
0
 

Author Comment

by:Drew_Mora
ID: 11967151
OK, so i just found out that auditing is not turned on. Thanks for your help anyhow : )

--Drew
0
 

Author Comment

by:Drew_Mora
ID: 11968687
SO now that i know that i have to use scvde.exe, please help me figure out how to export the user and the owner. I did an export and got all the user info, but i could not find the owner info anywhere in the spreadsheet.

--Thx in advance, Drew
0
 
LVL 4

Expert Comment

by:ncrones
ID: 14079406
see my earlier comment:

All you need to do is dump AD using csvde.exe or similar tool and look for the owner attribute (ntSecurityDescriptor) and sort by that.


NTSECURITYDESCRIPTOR is the attribute you want to be looking for - that is the owner attrib from memory? so something like this if u want to dump to csv from a particular OU

csvde -m -f OUTPUT.CSV -d "OU=****,OU=***,DC=***,DC=***,DC=**,DC=**" -r "(objectClass=User)" -l "DN,objectClass,cn,description,ntSecurityDescriptor,instanceType,sAMAccountName,objectCategory"
0
 
LVL 4

Expert Comment

by:ncrones
ID: 14079412
use csvde /? for the syntax
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now