vbscript: Field Used to Determine Who Added a PC to Active Directory

Posted on 2009-02-10
Last Modified: 2012-06-21
I have to right a script to determine who added a pc to a directory. What's the name of that field that I need to search for?
Question by:JB4375
    LVL 70

    Assisted Solution

    by:Chris Dent

    There is no explicit attribute that will tell you who joined a system to the domain.

    You might get somewhere with the managedBy attribute, however it is optional and probably not filled in.

    Or you might be able to read the security descriptor and see if anyone has been granted explicit permission to modify the account. This normally occurs when you pre-stage accounts so someone else can join it to the domain.

    However, if you don't use either of those then the only way you can tell who created the object is by enabling Auditing, and capturing the event from the Security Log (on each DC). Point in time auditing like that is not retroactive, you won't be able to see who created existing accounts (before auditing is enabled).

    LVL 1

    Author Comment

    OK... I found within Active Directory:
    • Properties
    • Security
    • Advanced Tab
    • Owner
    • Current Owner of this item: UserID  <-----This is the attribute I'm looking for.
    LVL 1

    Accepted Solution

    Ok... found a script that pulls it for anyone that's interested:
    Set objUser = GetObject _

    Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
    WScript.Echo "Owner Tab"
    WScript.Echo "Current owner of this item: " & objNtSecurityDescriptor.Owner

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
    [b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now