none
How can I find the user that created a user account and the user who last updated the account

    Question

  • How can I find out who created a user account and who last updated the account. I think that this is the same information that is displayed in the description field on the General tab.

    I am using ADO commands and vbscript


    ug3j

    Thursday, June 07, 2012 7:20 PM

Answers

  • That information is not saved in AD. You will need to parse the system event logs for the corresponding events, assuming the events are being audited and the information has not yet been overwritten in the logs. You would need to determine the eventCode (event ID) for these events (user creation and user modification). This link explains:

    http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx

    Per this article, Event ID 5136 is generated when an AD object is modified, 5137 when and AD object is created.


    Richard Mueller - MVP Directory Services

    • Marked as answer by ug3j Friday, June 08, 2012 1:56 PM
    Thursday, June 07, 2012 9:30 PM

All replies

  • That information is not saved in AD. You will need to parse the system event logs for the corresponding events, assuming the events are being audited and the information has not yet been overwritten in the logs. You would need to determine the eventCode (event ID) for these events (user creation and user modification). This link explains:

    http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx

    Per this article, Event ID 5136 is generated when an AD object is modified, 5137 when and AD object is created.


    Richard Mueller - MVP Directory Services

    • Marked as answer by ug3j Friday, June 08, 2012 1:56 PM
    Thursday, June 07, 2012 9:30 PM
  • Thanks Richard.

    ug3j

    Friday, June 08, 2012 1:57 PM
  • I should point out that there are two attributes of all AD objects that can help you track down the correct information in the system logs. These are the whenCreated and whenChanged attributes. This will tell when the object was created and when it was last modified, which should help when you search the logs. Also, while whenCreated is replicated to all DC's, so they will all have the exact same creation time, the whenChanged attribute is technically not replicated. The date/time on each DC reflects when the last modification was replicated to that DC. The values will differ slightly on each DC, reflecting how long it took for the change to replicate.


    Richard Mueller - MVP Directory Services

    Friday, June 08, 2012 4:12 PM
  • Am looking for an account created an year before, I dont have Event/Audit logs. 

    Is there a way I can still find out WHO created the USER account ??

    Thanks, Sri


    -Vissa

    Thursday, March 13, 2014 9:55 PM
  • No.


    -- Bill Stewart [Bill_Stewart]

    Thursday, March 13, 2014 9:59 PM