Who created an AD user?

I have the need to determine who created a user in AD. Unfortunately our old system administrator ( wjo no longer works for the company) didn't enable auditing on our DC's. Is there any way that I can find out who created this particular account from a few months ago?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Without auditing the answer is unfortunately no.  You can only find the whencreated date from the actual account.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How many users have administrative rights to create users, or there are users delegated rights to create users within their OU?
Without auditing, the only thing you can do is process of elimination.
Who has rights and check with them. Presumably an error occurred where the newly created user had rights they should not have.
Henrik JohanssonSystems engineerCommented:
If auditing hasn't been enabled, you can check the permissions of the user object and see who's owner of the object. If it wasn't a member of Domain Admins group, the owner is normally the creator. Not bullet proof as owner can be changed, but it's the only way I'm aware of to find possibly creator if auditing hasn't been enabled.
Either use the security tab->advanced in properties of object in ADUC or use dsacls command line.
dsacls <objectDN> | findstr Owner

Open in new window

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

If the account was created by a domain administrator, the owner will be Domain Administrators. If the account was created by anyone else the owner should be the requester.

Object properties > Security > Advanced > owner
Is a network (home) drive associated with the account? Depending on the environment, I've seen were we could determine who created an account based on the permissions/ownership of the top-level shared folder. For example, if new user John Smith has an H:\ drive mapped as his home directory, the drive will be created at the same time his account is, provided that the correct template is used when creating the account. The person creating the account has effectively created the home drive folder as well, which could show up in the permissions for that folder.
Implementing a real audit/logging solution is the best course of action. This way you will always know who did what. Look into AD event Auditing for the future.
btanExec ConsultantCommented:
Ideally is to have the Audit Account Managment needs to be enabled as all to be mentioned and to look out for the account creation should show up as a 624 (Win2K3 and below) or 4720
(Win2K8 / 2012) event in the security log https://technet.microsoft.com/en-us/library/dn319091.aspx
This approach to leverage on audit configuration can be further managed centrally with Group Policy and configured for event forwarding. This auditing can be beneficial to monitor accounts for change records for selected accounts.

Other means can be to minimally see the period and correlate which admin user has login and likely it may be the "creator" etc and can be further interviewed..
- In AD Users and Computers, inspecting the Object tab of the user account, there is a Created field. From the View menu > Advanced to be able to see the Object tab
- dsquery * -filter "(SamAccountName=<USERNAME>)" -attr Name whenCreated
or in general sytax is something like this "dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User))" -attr distinguishedName sAMAccountName whenCreated -Limit 0"
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.