Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / How to Check Who Created a User Account in AD

March 13, 2024

How to Check Who Created a User Account in AD

In this article we will look at how to find out the date a user was created in Active Directory; how to use PowerShell to get information from the domain controller’s event logs about who created the user account and when the user last logged on to the domain. These tasks often occur when auditing user accounts in Active Directory, finding and deleting inactive AD objects, or collecting statistics.

Contents:
  • AD User Accounts Creation Date
  • Finding Recently Created Active Directory Accounts with PowerShell
  • How to Find Out Who Created a User Account in Active Directory?

AD User Accounts Creation Date

You can get the creation date of any Active Directory object (user, computer, or group) through the ADUC (dsa.msc) graphical snap-in (be sure to enable the Advanced Features option in the View menu).

  1. Find the required user in the ADUC tree manually or by using the AD search function;
  2. Open the user’s properties and select the Object tab;
  3. The date the object was created in the Active Directory is specified in the Created field. ad user creation date

The same value can be obtained with the built-in AD attribute editor (whenCreated attribute).

whencreated attribute active directory

Also, you can use the Get-ADUser cmdlet from the AD PowerShell module to get the creation date of a user account:

Get-ADUser a.brion –properties name,whencreated|select name,whencreated

Powershell: how to check Active Directory user account created date with get-aduser

You can get the time of the user’s last login to the domain using the lastLogon or lastLogonTimpestamp attributes. If you want to get the user login history by the domain controller security logs, use the following guide.

Finding Recently Created Active Directory Accounts with PowerShell

With a simple PowerShell script, you can list user accounts recently created in Active Directory. To do this, use the Get-ADUser cmdlet to select all users and filter them by the value of the whencreated user attribute. For example, the following PowerShell script will list users created in Active Directory in the last 24 hours:

$lastday = ((Get-Date).AddDays(-1))
$filename = Get-Date -Format yyyy.MM.dd
$exportcsv=”c:\ps\new_ad_users_” + $filename + “.csv”
Get-ADUser -filter {(whencreated -ge $lastday)} –properties whencreated | Select-Object Name, UserPrincipalName, SamAccountName, whencreated | Export-csv -path $exportcsv

In this example, the list of AD accounts is saved to a file with the current date as its name. You can make this script to run daily via Windows Task Scheduler. As a result, the files containing the information about the date of creation of new accounts will be saved in the directory you specified. You can add any other attributes of Active Directory users to your report (see the article on using the Get-ADUser cmdlet).

getting list of recently created accounts in the active directory

How to Find Out Who Created a User Account in Active Directory?

If there are multiple administrators in your Active Directory domain, or you have delegated the permissions to create and edit user accounts to other non-admin users (for example, to HR staff), you may interested in the information about the name of the user who created the specific account in Active Directory. This information can be found in the security logs of Active Directory domain controllers.

When you create a new user in the domain, an event with the EventID 4720 from the User Account Management source appears in the security log of the domain controller (only on the DC, on which the account has been created). The Audit User Account Management policy must be enabled in Default Domain Controller GPO.

The description of this event contains the string: A user account was created. The Subject field contains the account under which the new AD user account was created (highlighted in the screenshot below). The new username is specified in the New Account field.

Event ID 4720 - A user account was created.

You need to collect 4720 events from all domain controllers. You can get a list of DCs using the Get-ADDomainController cmdlet. Then it remains to check the events with ID 4720 on each of them and create a resulting report. The script for getting all account creation events from the domain controller logs for the last 24 hours can look like this:

$Report = @()
$time = (get-date) - (new-timespan -hour 24)
$AllDCs = Get-ADDomainController -Filter *
ForEach($DC in $AllDCs)
{
Get-WinEvent -ComputerName $dc.Name -FilterHashtable @{LogName="Security";ID=4720;StartTime=$Time}| Foreach {
$event = [xml]$_.ToXml()
if($event)
{
$Time = Get-Date $_.TimeCreated -UFormat "%Y-%m-%d %H:%M:%S"
$CreatorUser = $event.Event.EventData.Data[4]."#text"
$NewUser = $event.Event.EventData.Data[0]."#text"
$objReport = [PSCustomObject]@{
User = $NewUser
Creator = $CreatorUser
DC = $event.Event.System.computer
CreationDate = $Time
}
}
$Report += $objReport
}
}
$Report

How to detect who created a user account in Active Directory via PowerShell script

As a result, you have a $Report object containing information about who created the AD user, when, and on which domain controller.

You can export a report to a CSV file:

$filename = Get-Date -Format yyyy.MM.dd
$exportcsv=”c:\ps\ad_users_creators” + $filename + “.csv”
$Report | Export-Csv $exportcsv -append -NoTypeInformation -Delimiter ","

You can save the information about found events not to a plain text file on DC, but to an external database. For example, you can write data to MySQL via the MySQL .NET Connector for PowerShell or to Microsoft SQL Server. An example is described in the article “How to Audit File/Folder Deletion on Windows”?
1 comment
5
Facebook Twitter Google + Pinterest
Active DirectoryPowerShell
previous post
PowerShell: Check Free Disk Space and Disk Usage
next post
Caching Domain Logon Credentials on Windows

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Checking Active Directory Domain Controller Health and Replication

May 15, 2025

Display System Info on Desktop with BGInfo

February 6, 2025

Configuring Password Policy in Active Directory Domain

March 12, 2024

1 comment

Shlomi June 14, 2021 - 6:24 pm

Lovely guide, thank you !!

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top