Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who created a user account in Active Directory

Start your free trial

A user, with the right account permissions, can make almost any change to the Active Directory (AD) environment. Now imagine a scenario where an intruder creates a new user account and adds this user to a privileged group. This user might gain unrestricted access to sensitive data, depending on the group they were added to. This is why it is crucial to track all newly created user accounts in your organization. Read on to discover how.

Find out who created a user account using PowerShell:

Perform the following actions on the domain controller (DC):

  1. Press Start, search for Windows PowerShell, right-click on it, and select Run as administrator.
  2. Type the following script into the console: Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4720} | Select-Object -Property *
  3. Press Enter.
How to audit process tracking
  1. This script will display the properties of Event ID 4720, which is logged when a user account is created. In the output, under Message → Subject, the Account Name, and security ID of the user that created the target user can be seen.

Note: If you are using a workstation, the following script should be run on PowerShell:

Get-EventLog -LogName Security -ComputerName <DC name>| Where-Object {$_.EventID -eq 4720} | Select-Object -Property *

where <DC name> is the name of the DC where the user was created.

How to detect who unlocked a user account

The above method for viewing user creation event is laborious and time-consuming. A third-party AD auditing tool will be a boon to IT sysadmins who have to deal with thousands of devices and events logged on each device. ManageEngine's ADAudit Plus provides a centralized platform to monitor all the changes in your AD, including user management actions such as creation, deletion, and more.

Download 30-day, free trial

Find out who created a user account using ManageEngine ADAudit Plus:

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your domain controller here.
  3. Open the ADAudit Plus console and log in as administrator.
  4. Navigate to Reports → Active Directory → User Management → Recently created users.
How to detect who unlocked a user account

This will show you a list of recently created user accounts, including details on the time of creation, the DC where the action was performed, and more.

Advantages of using ADAudit Plus over Native Auditing:

  • Monitor and report on each phase in the life cycle of a user account, i.e., user creation, modification, and deletion.
  • Protect critical files in your organization by monitoring all file access, and automating responses to unwarranted accesses.
  • View recently set and changed passwords for your critical users. Additionally, troubleshoot repeated account lockouts using our account lockout analyzer.
Download 30-day, free trial

Related How to

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link