In this article, we will look at different methods to find who created a user account in AD (Active Directory). We’ll also explore how to use SCCM to query security event ID 4720, PowerShell scripts to get AD user creation dates, and list all the recently created user accounts.
When auditing your Active Directory environment, you should look for a list of user accounts, local admin accounts, service accounts, and inactive accounts. PowerShell can make your work easier in finding out these details and there are numerous scripts available on GitHub for free.
There are a number of programs that, in addition to using PowerShell, are able to retrieve the information from Active Directory and Event Viewer and provide you with the information that you require. On the other hand, the majority of these tools are designed for businesses and come at extremely high prices.
Also Read: How To Audit SCCM Device Collection Changes
Steps to find AD User Account Creation Date
Active Directory Users and Computers (ADUC) is an MMC snap-in that provides the creation date for almost every object created in Active Directory. Here are the steps to find out the date a user was created in Active Directory.
Step 1: Launch the Active Directory Users and Computers on the Windows Server. You can run the shortcut command dsa.msc to launch ADUC. Click on View and select Advanced Features.
Step 2: Right-click on the AD domain and select Find.
Step 3: In the Find Users, Contacts, and Groups window, type the user account name for which you want to find out the creation date and click on Find Now. Right-click on the account and select Properties.
Step 4: On the account properties window, switch to the Object tab, and here you can view the date and time when the account has been created. You can also find the account modification date in the same window.
Get AD User Creation Date using PowerShell
You can use the Get-ADUser PowerShell cmdlet to get the creation date of a user account. This cmdlet retrieves a default set of user object properties.
To retrieve all the properties for a specified user, run the below PS command.
Get-ADUser -Identity cmadmin -Properties *
The below PowerShell command returns the user creation date along with other user account properties.
Get-ADUser cmadmin -properties whencreated
The below PowerShell command gets only the AD user creation date and time without other user object properties.
Get-ADUser cmadmin -properties * | select name, whencreated
Find who created a user account in AD
The Active Directory doesn’t store information about the user who created a specific user account. Only the Event Viewer logs the details when a user account is created, modified, or deleted.
When you create a new user account in AD, a security audit event ID 4720 is logged. For this, you should have enabled audit user account management using a GPO. When you enable auditing of user accounts, the event ID 4720 is logged.
Enable Auditing for User Account Changes
You’ll need to enable auditing on the domain controller (DC) for user account creation, deletion, and modification events. Only when you enable auditing for user account management will you see Event ID 4720 logged in Security when user accounts are created.
Note: Enabling auditing is easy, but you should understand that enabling it on the entire domain can have performance implications. As a result, obtain business approval before making this change, and it is recommended that it only be enabled when absolutely necessary for specific objects.
Use PowerShell to find who created user account
Once auditing is enabled via the GPO, you can use PowerShell to analyze the Security event log for Event ID 4720.
Launch the PowerShell on the domain controller and run the below command to find who created a user account in AD.
Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4720} | Select-Object -Property *
The above PowerShell command retrieves all events from the security log and filters them for Event ID 4720. In the output, you can find out the list of accounts that were created and who created those accounts.
Use Event Viewer to find AD user account creation date
Event Viewer is an alternative to PowerShell for determining the date of AD user account creation. However, this method is manual in nature, as it necessitates the opening of an event viewer and the examination of the event ID 4720.
Launch the Event Viewer on the Windows Server. Expand Windows Logs, right-click on the Security log and choose the option Filter Current Log. Now enter ‘4720’ in the search box to filter the events with ID 4720 and click OK. The event viewer shows all the events with ID 4720.
In the below screenshot, we see the new user account along with the date and time of creation. We also get to know who created this user account in Active Directory.
List Recently Created AD Accounts using PowerShell
Using a PowerShell script, you can determine the number of user accounts that were created recently in Active Directory. Again, you can use the Get-ADUser cmdlet for all users and filter the output with the name and date when the account was created with the Get-Date parameter.
Run the PowerShell cmdlet below to get a list of all recently created AD user accounts over the last 30 days.
# Find user accounts created in AD since last 30 days
Get-ADUser -Filter * -Properties whenCreated | where {$_.whenCreated -gt (Get-Date).AddDays(-30)} | FT Name, whenCreated
In the above command, the number of days is specified in the parameter (Get-Date).AddDays(-X). Where X is the number of days.
The below screenshot shows all the accounts that were created in AD in the last 3650 days.
Use CMPivot Query to Check Security Event ID 4720
In SCCM, you can use a CMPivot query to check the security event ID 4720 to find out the information about newly created accounts and who created them. You can run the query on a single device or a collection consisting of a group of devices.
Launch the Configuration Manager and go to Assets and Compliance > Overview > Devices. Right-click on the AD computer and select Start CMPivot.
In the CMPivot window, enter the following query to obtain information regarding newly created user accounts and who created them:
EventLog('Security') | where EventID == 4720
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.