Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Query Active Directory (AD) for users created by "logon-name"

Posted on 2004-09-01
13
Medium Priority
?
524 Views
Last Modified: 2008-05-30
Does anybody know how to query AD for all users created by "juser@mydomian.com". We have a new employee who has created a bunch of AD accounts and most are wrong, i would like to get a list of all user accounts created by "joeUser".

Thanks!
0
Comment
Question by:Drew_Mora
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 9

Expert Comment

by:BigC666
ID: 11957916
howdy,

have a look at this http://weblogs.asp.net/steveschofield/archive/2004/04/28/121857.aspx

hope that it helps
0
 
LVL 3

Expert Comment

by:joelleo
ID: 11959040
Aloha Drew Mora.

Your best bet is to parse out the security log on the domain controllers looking for successful event IDs 624 of the Security source (Account Management category.) In the User field of the event you'll see the user that created the account. Any that have mydomain\juser in the User field were created by juser@mydomain.com.

Two ways to do this:

1) Use the Event Viewer utility to search the security log on your domain controllers

Start > Run > eventvwr

Opens the Event Viewer
-Right click on the Security log & point to View
-Click Find

This opens a new window that allows you to query the log.

In the User field type the user's account name (juser, in your example). In the Event ID field, type 624. Select Security from the Source drop down list box.
-Click the Find Next button

It will take you to the first (top down) instance of the event. If you don't find any events, you might need to check a different dc as this is a per-dc effort.

Once you find an entry, look in the details and you'll see the account that he created. This is fine for a relatively small number of users, but would be cumbersome for lots of users or lots of domain controllers. If you have lots of dcs or lots of users, you might want to do #2

2) Use the Dump Event Log utility from the resource kit to dump the security log to a text file, then search the text file

At a command prompt:

dumpel -l security -f seclog1.txt -m Security -e 624 -s \\<domaincontroller>

If you know juser has only been with the organization for 30 days you can add an option to dump the last n days of the log (-d 30 would dump the last 30 days, for example.) Replace <domaincontroller> with the name of your domain controller and change seclog1.txt to seclogn+1.txt for each other domain controller in the domain.

Once you've done that, you'll have security logs from each of your domain controllers listing each and every user account created. You can use the findstr utility to look for juser:

findstr /i "mydomain\juser" seclog1.txt

would list out each entry in the seclog1.txt file that contains the string mydomain\juser. Considering the seclog1.txt file only contains ID 624 (new account creation) entries from the Security source, you'll be able to determine which users he created. Hopefully, you'll also learn about the incredibly useful dumpel tool, too ;)

Aloha and good luck.

Joel Leo
0
 
LVL 4

Expert Comment

by:ncrones
ID: 11961851

If the user accounts were all created by one user then that user will be set as the owner of the new user object (to view in AD user object properties, security tab, advanced, Owner)

All you need to do is dump AD using csvde.exe or similar tool and look for the owner attribute (ntSecurityDescriptor) and sort by that.

hope that helps

cheers

Nick

0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:Drew_Mora
ID: 11965937
Is CSVDE.EXE part of the 2000 or 2003 resource kit?

Thanks : )
0
 
LVL 3

Accepted Solution

by:
joelleo earned 2000 total points
ID: 11966082
Aloha Drew.

Ncrones has a good point. One thing to keep in mind: if juser is a member of domain admins the owner of any accounts he creates will be domain admins as opposed to juser.

Also, you can view object ownership in AD by turning on Advanced Features of the Active Directory Users & Computers tool.

From the ADU&C tool:

-Click View
-Click Advanced Features

you'll see some more objects and containers in the tool, but you'll also see a Security tab on object properties. Click on Advanced on that tab and then click the Owner tab.

hth

Joel Leo
0
 

Author Comment

by:Drew_Mora
ID: 11966273
Thanks a lot Joelleo and ncrones! I am working on the export now!

--Drew
0
 

Author Comment

by:Drew_Mora
ID: 11966509
OK, so I have an excel file, but i have no idea how to read it. Does anybody know the syntax for exporting just users? Could i get even more granular and filter by owner?
0
 

Author Comment

by:Drew_Mora
ID: 11966908
OK, so I have tried the dumpEL option with the -e 624....The file comes up blank, there are no 624 entries in the DC1, DC2, or DC3 security log. -->So then I tried the csvde.exe route, and i have a 14MB excel file that i cannot find the owner attribute in. I must really be doing something wrong here. When I did the csvde export i used the following syntax:

--> csvde --f outputDC.csv -r "(objectClass=user)"
Export complete 8629 entries exported

Thanks for all your help so far, but i must be doing something wrong....please help : )
0
 
LVL 3

Expert Comment

by:joelleo
ID: 11966994
Aloha Drew.

Do you see any entries in your security logs on the domain controllers? If auditting is turned off you won't have any entries at all, in which case the csvde route is the only route for you.

As an experiment, try creating a new user directly on a domain controller and then check the security log - you should see a successful 624 event in Security source with your username on it, along with the new user's details in the description pane. If you don't, you likely don't have auditting turned on, which can be verified using the Local Security Policy tool.

Joel
0
 

Author Comment

by:Drew_Mora
ID: 11967151
OK, so i just found out that auditing is not turned on. Thanks for your help anyhow : )

--Drew
0
 

Author Comment

by:Drew_Mora
ID: 11968687
SO now that i know that i have to use scvde.exe, please help me figure out how to export the user and the owner. I did an export and got all the user info, but i could not find the owner info anywhere in the spreadsheet.

--Thx in advance, Drew
0
 
LVL 4

Expert Comment

by:ncrones
ID: 14079406
see my earlier comment:

All you need to do is dump AD using csvde.exe or similar tool and look for the owner attribute (ntSecurityDescriptor) and sort by that.


NTSECURITYDESCRIPTOR is the attribute you want to be looking for - that is the owner attrib from memory? so something like this if u want to dump to csv from a particular OU

csvde -m -f OUTPUT.CSV -d "OU=****,OU=***,DC=***,DC=***,DC=**,DC=**" -r "(objectClass=User)" -l "DN,objectClass,cn,description,ntSecurityDescriptor,instanceType,sAMAccountName,objectCategory"
0
 
LVL 4

Expert Comment

by:ncrones
ID: 14079412
use csvde /? for the syntax
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question