In this article, we will look at different methods to find who created a user account in AD (Active Directory). We’ll also explore how to use SCCM to query security event ID 4720, PowerShell scripts to get AD user creation dates, and list all the recently created user accounts.

When auditing your Active Directory environment, you should look for a list of user accounts, local admin accounts, service accounts, and inactive accounts. PowerShell can make your work easier in finding out these details and there are numerous scripts available on GitHub for free.

There are a number of programs that, in addition to using PowerShell, are able to retrieve the information from Active Directory and Event Viewer and provide you with the information that you require. On the other hand, the majority of these tools are designed for businesses and come at extremely high prices.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

Also Read: How To Audit SCCM Device Collection Changes

Steps to find AD User Account Creation Date

Active Directory Users and Computers (ADUC) is an MMC snap-in that provides the creation date for almost every object created in Active Directory. Here are the steps to find out the date a user was created in Active Directory.

Step 1: Launch the Active Directory Users and Computers on the Windows Server. You can run the shortcut command dsa.msc to launch ADUC. Click on View and select Advanced Features.

find AD User Account Creation Date
Launch Active Directory Users and Computers

Step 2: Right-click on the AD domain and select Find.

find AD User Account Creation Date
Use Find to locate the user account

Step 3: In the Find Users, Contacts, and Groups window, type the user account name for which you want to find out the creation date and click on Find Now. Right-click on the account and select Properties.

find AD User Account Creation Date
Select User Account Properties

Step 4: On the account properties window, switch to the Object tab, and here you can view the date and time when the account has been created. You can also find the account modification date in the same window.

find AD User Account Creation Date
find AD User Account Creation Date

Get AD User Creation Date using PowerShell

You can use the Get-ADUser PowerShell cmdlet to get the creation date of a user account. This cmdlet retrieves a default set of user object properties.

To retrieve all the properties for a specified user, run the below PS command.

Get-ADUser -Identity cmadmin -Properties *

The below PowerShell command returns the user creation date along with other user account properties.

Get-ADUser cmadmin -properties whencreated
Get AD User Creation Date using PowerShell
Get AD User Creation Date using PowerShell

The below PowerShell command gets only the AD user creation date and time without other user object properties.

 Get-ADUser cmadmin -properties * | select name, whencreated
find AD User Account Creation Date
find AD User Account Creation Date using PowerShell

Find who created a user account in AD

The Active Directory doesn’t store information about the user who created a specific user account. Only the Event Viewer logs the details when a user account is created, modified, or deleted.

When you create a new user account in AD, a security audit event ID 4720 is logged. For this, you should have enabled audit user account management using a GPO. When you enable auditing of user accounts, the event ID 4720 is logged.

Enable Auditing for User Account Changes

You’ll need to enable auditing on the domain controller (DC) for user account creation, deletion, and modification events. Only when you enable auditing for user account management will you see Event ID 4720 logged in Security when user accounts are created.

Note: Enabling auditing is easy, but you should understand that enabling it on the entire domain can have performance implications. As a result, obtain business approval before making this change, and it is recommended that it only be enabled when absolutely necessary for specific objects.

Enable audit changes to user accounts
Enable audit changes to user accounts

Use PowerShell to find who created user account

Once auditing is enabled via the GPO, you can use PowerShell to analyze the Security event log for Event ID 4720.

Launch the PowerShell on the domain controller and run the below command to find who created a user account in AD.

Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4720} | Select-Object -Property *

The above PowerShell command retrieves all events from the security log and filters them for Event ID 4720. In the output, you can find out the list of accounts that were created and who created those accounts.

Find who created a user account in AD
Find who created a user account in AD using PowerShell

Use Event Viewer to find AD user account creation date

Event Viewer is an alternative to PowerShell for determining the date of AD user account creation. However, this method is manual in nature, as it necessitates the opening of an event viewer and the examination of the event ID 4720.

Launch the Event Viewer on the Windows Server. Expand Windows Logs, right-click on the Security log and choose the option Filter Current Log. Now enter ‘4720’ in the search box to filter the events with ID 4720 and click OK. The event viewer shows all the events with ID 4720.

In the below screenshot, we see the new user account along with the date and time of creation. We also get to know who created this user account in Active Directory.

Use Event Viewer to find AD user account creation date
Use Event Viewer to find AD user account creation date

List Recently Created AD Accounts using PowerShell

Using a PowerShell script, you can determine the number of user accounts that were created recently in Active Directory. Again, you can use the Get-ADUser cmdlet for all users and filter the output with the name and date when the account was created with the Get-Date parameter.

Run the PowerShell cmdlet below to get a list of all recently created AD user accounts over the last 30 days.

# Find user accounts created in AD since last 30 days

Get-ADUser -Filter * -Properties whenCreated | where {$_.whenCreated -gt (Get-Date).AddDays(-30)} | FT Name, whenCreated

In the above command, the number of days is specified in the parameter (Get-Date).AddDays(-X). Where X is the number of days.

List Recently Created AD Accounts using PowerShell
List Recently Created AD Accounts using PowerShell

The below screenshot shows all the accounts that were created in AD in the last 3650 days.

Finding Recently Created Active Directory Accounts with PowerShell
Finding Recently Created Active Directory Accounts with PowerShell

Use CMPivot Query to Check Security Event ID 4720

In SCCM, you can use a CMPivot query to check the security event ID 4720 to find out the information about newly created accounts and who created them. You can run the query on a single device or a collection consisting of a group of devices.

Launch the Configuration Manager and go to Assets and Compliance > Overview > Devices. Right-click on the AD computer and select Start CMPivot.

Use SCCM CMPivot Query to Check Security Event ID 4720
Use SCCM CMPivot Query to Check Security Event ID 4720

In the CMPivot window, enter the following query to obtain information regarding newly created user accounts and who created them:

EventLog('Security') | where EventID == 4720
Use SCCM CMPivot Query to Check Security Event ID 4720
Use SCCM CMPivot Query to Check Security Event ID 4720

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.