• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Active Directory 2008

Hi, a User has been created in AD, SBS 2008. the user is called ACCESS and has full admin rights. I know i never created this user.

The user has logged onto both the DC and TS servers.

Is there a way I can check to see when this user account was created, just after a date or date range.

1 Solution
Open active directory, click on view at the top click add remove columns search for modified date and add it to the list
You can verify the date of creation for an object in Active directory Users and Computers in menu View - Select Advanced Features

Then Select the object ACCESS, enter properties, select tab object and there you should view the creation date.
Lee W, MVPTechnology and Business Process AdvisorCommented:
I hope this is obvious... but just in case... CHANGE ALL YOUR PASSWORDS NOW.  And disable that account.
Check the security log on the DC for below events this will give account creation date,the person who has created,etc.

Event id 4720 will be generated  on windows 2008 for account creation.
Event id 624 will be generated on windows 2003/2000  for account creation.


This event will be generated if you have enabled Audit account management in the Default Domain Controller GPO.Also if the event is older it might get purge and you want be able to see the same even if the policy is enabled.

I would also recommed to enable Audit Directory Service Access if not enabled.This will give evidence if any change to Directory service is made,example delete of dns zone,changes to Active directory object,etc


Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now