Solved

How can you tell who created an Active Directory user object?

Posted on 2008-10-03
8
38,521 Views
Last Modified: 2012-06-07
Is there a way to tell who created user accounts in Active Directory?  I've found the attribute that tells me when the object was created (whenCreated) but is there any method to determine the creator?


Thanks.

0
Comment
Question by:trippleO7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 125 total points
ID: 22635779
Audit Account Managment needs to be enabled

http://technet.microsoft.com/en-us/library/cc737542.aspx

That setting is set to Success by default on the default domain controllers GPO.

If that is set then then the account creation should show up as a 624 event in the security log of the DC it was created on.

That 624 event will tell you who created the account.

Hope that helps

Thanks
Mike

0
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22635784
it is tough without a 3rd party auditing product. Your one chance is by looking at the ACL for any telltale ACES and look at the owner listed on the SD. If the user had admin rights in the domain this won't work because it will say administrators
0
 
LVL 9

Assisted Solution

by:gregcmcse
gregcmcse earned 125 total points
ID: 22635793
Assuming you've got basic security auditing running on your domain controllers, you should be able to take that timestamp and use it to go review the event logs on your domain controllers.  You're looking for event ID 624.

I believe user account creation is one of the events that is audited with the default audit settings.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 18

Expert Comment

by:Americom
ID: 22635862
Usually you can right click on the user object>Properties>Security>Advanced>Owner, only if it was not created by Administrator. The Object will also show you when the object was created and modified.
The only problem with security event viewer is you may need to increase the log size to record a day or two. If your DC is very busy, even with 130MB size could only record 24 hours. Any size larger than that would create viewing problem as the security event log are constant being updated. Without a realy product like MOM or a 3rd party product to manage event log would be tough.
1
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22635931
^^ right. That is why I mentioned using a 3rd party auditing tool.. the overload on the DC is not worth using normal auditing methods.
0
 
LVL 6

Author Comment

by:trippleO7
ID: 22636025
Thanks everyone!  Looks like event 624 will do the trick.  I did find out that in Win2008/Vista, the event ID is now 4720 just as an FYI.

@mkline71- Very helpful link you provided...Thanks!

@gregcmsce- My DC's were all set to audit that event, so I'm guessing that was default as you mentioned.  As I have not set that.

@Americom- My DC's are very busy and it does flush the old events in the log.  I was going to use a clever workaround with my Vista workstation and Subscribe to these specific 624 events from my DC's.  This way I was hoping it would create a local event log file on my Vista machine eliminating the size problem with the log files.  Of course, I'm not 100% sure it creates a local log file, nor do I think I can subscribe to Win2003 DC events using Vista.  It's a good idea so I'm trying to see if I can get it to work.

Thanks for all of the help and ideas!


0
 
LVL 6

Author Closing Comment

by:trippleO7
ID: 31502835
Split the points as provided same solution and extra information.  Thanks!
0
 

Expert Comment

by:ashwanijain
ID: 38057334
If the event logs are overwritten from DC ,than is there option to find out who has created the user account in active directory.

Regards
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question