ID move user account Active Directory RRS feed

  • Question

  • Hello,

    I have been investigating what is the ID to know which user accounts from the active directory have been moved and by which administrator.

    I found the ids to know that user accounts have been created(id=4720), deleted(id=4726), enabled(id=4722) and disabled(id=4725).

    Does anyone know the specific ID to know which user accounts have been moved to another organizational unit?

    Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=¿?}


    Tuesday, October 10, 2017 8:06 AM


All replies

  • 5139 - AD Object moved 


    Tuesday, October 10, 2017 8:33 AM
  • That id had found me, but the event viewer did not pick it up, do you know which group policies should I enable?

    On the other hand, I thought that id was not worth because it is the same an object as a user account?


    Tuesday, October 10, 2017 8:40 AM
  • I cannot understand your English.


    Tuesday, October 10, 2017 8:43 AM
  • Sorry, I repeat it again.

    I also found that ID 5139 is the one that identifies the movement of users in the active directory, however I do not get that event in the event viewer when I move a user in the active directory, knows if I should enable some concrete group directive?

    I need to retrieve the information using the command Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=5139}, and when I throw the command in powershell it does not return any event even though I have moved a user in the active directory.

    On the other hand,I have doubted if it was that ID because it refers to AD Object moved. AD Object is the same as a user account?


    Tuesday, October 10, 2017 9:01 AM
  • AdUser accounts are AdObjects.  There is no other user specific event.  You must configure AD auditing to get events.


    Tuesday, October 10, 2017 9:05 AM
  • This article may be of some help

    Tuesday, October 10, 2017 10:27 AM
  • The excellent blog post that simbrook2 posted has examples of computer and OU objects being moved. But the same would apply to user objects. The event ID is the same for users, since they are like any other AD object.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, October 10, 2017 12:32 PM