Direct Inward Dialing: +1 408 916 9892
Note: To enable the required auditing, please refer to Step 1 on the Native AD Auditing tab. After this you can follow the steps below to view the relevant events.
Navigate to'Server Audit' Tab.
Since you're looking for local user account creations, choose the 'Local Account Management' tab You can then navigate to the pre-configured report named 'Recently Created Users'.
This gives you a report of newly created local user accounts. You can check who created a local user account here.
Customize the Period to desired time range. You can also define a custom period and save for quick reference.
A detailed audit information report is generated for the selected period.
Clicking on an event in the bar graph, filters the report view highlighting only the selected event.
Advanced filter options help you locate the specific event that you're looking for.
Launch theServer Manager and open the Group Policy Management Console (GPMC).
In the left pane, expand theForest and Domains nodes to reveal the specified domain you want to track the changes for.
Expand the domain and right-click Default Domain Policy. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.
Click on Edit of the desired group policy, to open up the Group Policy Management Editor.
Expand 'Computer Configuration'-->Policies-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies.
Enable success and failure options for 'Audit account management'. also allow for more granular auditing. Select the 'Advanced Audit Policy'-->'Audit Policy'-->Account Management-->Audit User Account Management. Exit Group Policy Management Editor.
In the GPMC, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'everyone' in the text box and click 'Check Names' to "to track the changes made by everyone who has logged into the domain." or something similar would work.. Exit the GPMC.
From your 'Server Manager' go to 'Tools'and select 'ADSI Edit'.
Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings'window.
Select the Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.
Click 'Okay'and return to the ADSI Edit window. Expand 'Default Naming Context'and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.
In the 'Properties'window, go to the 'Security' tab and select 'Advanced'.After that select 'Auditing'tab and click 'Add'.
Click on ' Select a principal'.This will bring up a 'Select User, Computer or Group'Window. Type 'Everyone' in the textbox and verify it with 'Check Names'.
The 'Principal'in the 'Auditing Entry'window now shows 'Everyone'. In the 'Type' drop-down select 'All'to audit for both 'success' and 'failure'events.
In the 'Select' drop-down choose 'This object and all descendant object's. Select 'Full Control' in the 'Permissions' section.
This selects all the checkboxes available. Unselect the following check boxes:
You can view events of any new user accounts created in Event Viewer. Filter the log to view the following event.
Event ID 4720 describes a user account that is created.
You can check out the details of who created the local user account in the Event Properties. If the user account is a local user account, then the 'Account Domain' field will contain the device name on which it was created.
Does native auditing become a little too much?
Simplify local acccount management auditing and reporting with ADAudit Plus.
Get Your Free Trial Fully functional 30-day trialActive Directory Auditing just got easier!
ADAudit Plus comes bundled with more than 300 predefined reports that makes your AD auditing easier. The solution also sends real-time alerts for critical events and thereby help you to secure your network from threats and boost your IT security posture. Check out the capabilities of ADAudit Plus here.
Download ADAudit Plus
