Posted on October 31, 2017 · Posted in Active Directory, Powershell

Getting AD Accounts Created in the Last 24 Hours

The IT security department asked to develop the simplest audit system that will make up the daily statistics on Active Directory accounts created in the last 24 hours, and the information about who created these accounts in the domain.

A PowerShell Script to Get the List of Recently Created Users in Active Directory

To get the list of users created in Active Directory in the last 24 hours, it is easier to use Get-ADUser PowerShell cmdlet. The cmdlet results will be filtered by whencreated user attribute that stores the date and time when the account has been created. I have written this simple PowerShell script:

$lastday = ((Get-Date).AddDays(-1))
$filename = Get-Date -Format yyyy.MM.dd
$exportcsv=”c:\ps\new_ad_users_” + $filename + “.csv”
Get-ADUser -filter {(whencreated -ge $lastday)} | Export-csv -path $exportcsv

In this example, the list of AD accounts is saved to a file with the current date as its name. Using Task Scheduler, you can make this script to run daily and the files containing the information about the date when each account has been created will be saved in the directory you specify. You can add any other attributes of Active Directory users to your report (see the article about using cmdlet Get-ADUser). getting list of recently created accounts in the active directory

How to Find Out Who Created a User Account in Active Directory

Besides the creation of an account, security specialists may be interested in the information about the name of the user who created the specific account in Active Directory. This information can be found in the security logs of Active Directory domain controllers.

When a new user is created, an event with the EvenId 4720 appears in the security log of the domain controller (only on the DC, on which the account has been created). Audit User Account Management policy must be enabled in Default Domain Controller Policy.

The description of this event contains the string: A user account was created, and then it specifies the account used to create a new AD user account (shown on the screenshot below).

EvenId 4720 on the domain controller: a user account was created

The script to export all events of account creation from the domain controller log in the last 24 hours can look like this:

$time =  (get-date) - (new-timespan -hour 24)
$filename = Get-Date -Format yyyy.MM.dd
$exportcsv=”c:\ps\ad_users_creators” + $filename + “.csv”
Get-WinEvent -FilterHashtable @{LogName="Security";ID=4720;StartTime=$Time}| Foreach {
$event = [xml]$_.ToXml()
$Time = Get-Date $_.TimeCreated -UFormat "%Y-%m-%d %H:%M:%S"
$CreatorUser = $event.Event.EventData.Data[4]."#text"
$NewUser = $event.Event.EventData.Data[0]."#text"
$dc = $
$dc + “|” + $Time + “|” + $NewUser + “|” + $CreatorUser| out-file $exportcsv -append

Get-WinEvent logs from dc

As described in the article  Using audit to track who deleted your files on a Shared Folder, you can configure the saving of the information about these events not as a plain text file on each DC, but to a MySQL database using MySQL .NET Connector  for PowerShell.

Related Articles