Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Check Who Created a User Account in AD?

June 1, 2021 Active DirectoryPowerShell

How to Check Who Created a User Account in AD?

In this article we will look at how to find out the date a user was created in Active Directory; how to use PowerShell to get information from the domain controller’s event logs about who created the user account and when the user last logged on to the domain. These tasks often occur when auditing user accounts in Active Directory, finding and deleting inactive AD objects, or collecting statistics.

Contents:
  • AD User Accounts Creation Date
  • Finding Recently Created Active Directory Accounts with PowerShell
  • How to Find Out Who Created a User Account in Active Directory?

AD User Accounts Creation Date

You can get the creation date of any Active Directory object (user, computer or group) through the ADUC (dsa.msc) graphical snap-in (be sure to enable the Advanced Features option in the View menu).

  1. Find the required user in the ADUC tree manually or by using the AD search function;
  2. Open the user’s properties and select the Object tab;
  3. The date the object was created in Active Directory is specified in the Created field. ad user creation date

The same value can be obtained with the built-in AD attribute editor (whenCreated attribute).

whencreated attribute active directory

Also, you can use the Get-ADUser cmdlet from the AD PowerShell module to get the creation date of a user account:

Get-ADUser a.brion –properties name,whencreated|select name,whencreated

Powershell: how to check Active Directory user account created date with get-aduser

You can get the time of the user’s last login to the domain using the lastLogon or lastLogonTimpestamp attributes. If you want to get the user login history by the domain controllers security logs, use the following guide.

Finding Recently Created Active Directory Accounts with PowerShell

With a simple PowerShell script, you can list user accounts recently created in Active Directory. To do this, use the Get-ADUser cmdlet to select all users and filter them by the value of the whencreated user attribute. For example, the following PowerShell script will list users created in Active Directory in the last 24 hours:

$lastday = ((Get-Date).AddDays(-1))
$filename = Get-Date -Format yyyy.MM.dd
$exportcsv=”c:\ps\new_ad_users_” + $filename + “.csv”
Get-ADUser -filter {(whencreated -ge $lastday)} –properties whencreated | Select-Object Name, UserPrincipalName, SamAccountName, whencreated | Export-csv -path $exportcsv

In this example, the list of AD accounts is saved to a file with the current date as its name. You can make this script to run daily via Windows Task Scheduler. As a result, the files containing the information about the date of creation of new accounts will be saved in the directory you specified. You can add any other attributes of Active Directory users to your report (see the article on using the Get-ADUser cmdlet).

getting list of recently created accounts in the active directory

How to Find Out Who Created a User Account in Active Directory?

If there are multiple administrators in your Active Directory domain, or you have delegated the permissions to create and edit user accounts to other non-admin users (for example, to HR staff), you may interested in the information about the name of the user who created the specific account in Active Directory. This information can be found in the security logs of Active Directory domain controllers.

When you create a new user in the domain, an event with the EventID 4720 from the User Account Management source appears in the security log of the domain controller (only on the DC, on which the account has been created). The Audit User Account Management policy must be enabled in Default Domain Controller GPO.

The description of this event contains the string: A user account was created. The Subject field contains the account under which the new AD user account was created (highlighted in the screenshot below). The new username is specified in the New Account field.

Event ID 4720 - A user account was created.

You need to collect 4720 events from all domain controllers. You can get a list of DCs using the Get-ADDomainController cmdlet. Then it remains to check event 4720 on each of them and create a resulting report. The script for getting all account creation events from the domain controller logs for the last 24 hours can look like this:

$Report = @()
$time = (get-date) - (new-timespan -hour 24)
$AllDCs = Get-ADDomainController -Filter *
ForEach($DC in $AllDCs)
{
Get-WinEvent -ComputerName $dc.Name -FilterHashtable @{LogName="Security";ID=4720;StartTime=$Time}| Foreach {
$event = [xml]$_.ToXml()
if($event)
{
$Time = Get-Date $_.TimeCreated -UFormat "%Y-%m-%d %H:%M:%S"
$CreatorUser = $event.Event.EventData.Data[4]."#text"
$NewUser = $event.Event.EventData.Data[0]."#text"
$objReport = [PSCustomObject]@{
User = $NewUser
Creator = $CreatorUser
DC = $event.Event.System.computer
CreationDate = $Time
}
}
$Report += $objReport
}
}
$Report

How to detect who created a user account in Active Directory via PowerShell script

As a result, you have a $Report object containing information about who created the AD user, when, and on which domain controller.

You can export report to a CSV file:

$filename = Get-Date -Format yyyy.MM.dd
$exportcsv=”c:\ps\ad_users_creators” + $filename + “.csv”
$Report | Export-Csv $exportcsv -append -NoTypeInformation -Delimiter ","

You can save the information about found events not to a plain text file on DC, but to an external database. For example, you can write data to MySQL via the MySQL .NET Connector for PowerShell or to Microsoft SQL Server. An example is described in the article “How to Audit File/Folder Deletion on Windows”?

Also, you can get the creation date for Microsoft 365/Azure AD users via PowerShell.

1 comment
3
Facebook Twitter Google + Pinterest
previous post
Manage KVM Virtual Machines from CLI with Virsh
next post
Caching Domain Logon Credentials on Windows

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Windows Security Won’t Open or Shows a Blank...

May 17, 2022

How to Manually Install Windows Updates from CAB...

May 16, 2022

Deploying Software (MSI Packages) Using Group Policy

May 12, 2022

Enable or Disable MFA for Users in Azure/Microsoft...

April 27, 2022

1 comment

Shlomi June 14, 2021 - 6:24 pm

Lovely guide, thank you !!

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • How to Refresh AD Groups Membership without Reboot/Logoff?
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top