smart Z
asked on
finding who created AD
Hello experts,
I would like to know about account that is created in AD. I like to audit it and find more info?
Is this possible and what will be steps to find out.
Thanks
I would like to know about account that is created in AD. I like to audit it and find more info?
Is this possible and what will be steps to find out.
Thanks
If you are trying to determine who created an AD account, and assuming you have a standard AD setup with default settings, the short answer is "you probably can't". AD does not keep track of this information in a manner that is very easy to get to or interpret. Put another way, AD does not keep track of it in the standard database along with other information such as the user's job title, description, etc. All AD will give you is the last date/time the account was modified and the date/time the object was created.
There is a separate database in AD called the replication database (meta-data), but the standard tools to read this are crude and hard to use.
There is also the audit log, but you have to have that enabled in order to get the events recorded, then you have to have the time and patience to scan the logs to get what you want.
Here is a Microsoft article with links to both of these approaches:
https://social.technet.mic rosoft.com /Forums/wi ndowsserve r/en-US/91 e5ba5c-460 4-426e-989 b-ea21aabf cee1/how-t o-trace-wh o-created- the-accoun t-in-activ e-director y?forum=wi nserverDS
Another option, if you have funds, is to purchase a 3rd party auditing tool from someone like Netwrix, its what they do:
https://www.netwrix.com/ac tive_direc tory_audit ing.html
I don't work for them by the way.
There is a separate database in AD called the replication database (meta-data), but the standard tools to read this are crude and hard to use.
There is also the audit log, but you have to have that enabled in order to get the events recorded, then you have to have the time and patience to scan the logs to get what you want.
Here is a Microsoft article with links to both of these approaches:
https://social.technet.mic
Another option, if you have funds, is to purchase a 3rd party auditing tool from someone like Netwrix, its what they do:
https://www.netwrix.com/ac
I don't work for them by the way.
ASKER
I am trying to find who created the user account and not the computer account. Can you please let me know how is that possible that I get information on who created the computer object and not the user name.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
yes it is possible, see the attached file.
You need to find the Event ID 4720 in the Domain Controllers Security logs.
Or run the below popwershell script in one of your domain controller to search them all:
Open in new window
Hope that helps.
quickref.pdf