locked
Can admins perform changes to AD data? RRS feed

  • Question

  • Hi every one,

    Please let me know if I am not in the appropriate forum.

    I am trying to understand a control our clients have in regards to user creation monitoring in AD. They want to implement a control that will notify a specific team with the complete list of new accounts created during the last month. My question is the following:

    Can I consider this report complete if I get it from AD, or is there any risk that Domain admins can alter this information in the AD data set? I am not concerning about the report being changed during transmission, only at the source.

    Please let me know if any further details are required.

    Thanks in advance!

    Gexhi

    • Moved by PWMatherMVP Saturday, October 24, 2015 12:26 PM AD query
    Wednesday, October 21, 2015 4:40 PM

Answers

  • Admins can modify many attribute values in AD, but not those controlled by the system. Attributes indicating when objects were created, such as whenCreated, creationTime, createTimeStamp, and uSNCreated, are controlled by the system (AD) and cannot be changed by anyone.

    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Monday, October 26, 2015 2:45 PM Added to list of relevant attributes
    • Proposed as answer by Wendy Jiang Wednesday, October 28, 2015 1:58 AM
    • Marked as answer by Gexhi Tuesday, November 3, 2015 2:05 PM
    Monday, October 26, 2015 12:29 PM

All replies

  • Hi

    You might want to try a windows server related forum for this kind of question.

    Best Regards | Power2Plan | https://www.power2plan.com

    Friday, October 23, 2015 9:34 PM
  • Hi,

    You can use this code which you can schedule it every month.

    Get-ADUser -Filter * -Properties whenCreated | Where-Object {$_.whenCreated -ge ((Get-Date).AddDays(-30)).Date} you can export the output to CSV or TXT

    • Proposed as answer by Wendy Jiang Wednesday, October 28, 2015 1:57 AM
    Monday, October 26, 2015 5:54 AM
  • Hi Gexhi,

    Yes, AD is the best place to get this information, if its only user account and not Lync or Mailboxes or some other stuff as well.

    You don't need to be a admininstrator to query the users readonly list\details.

    A normal user account or a Helpdesk group member can get those details, without you need to worry about the data alteration.

    If you still have isses add them to  read only ACL on the OU or domain.

    What permissions are required for enumerating users groups in Active Directory


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Monday, October 26, 2015 6:26 AM
    Monday, October 26, 2015 6:19 AM
  • Admins can modify many attribute values in AD, but not those controlled by the system. Attributes indicating when objects were created, such as whenCreated, creationTime, createTimeStamp, and uSNCreated, are controlled by the system (AD) and cannot be changed by anyone.

    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Monday, October 26, 2015 2:45 PM Added to list of relevant attributes
    • Proposed as answer by Wendy Jiang Wednesday, October 28, 2015 1:58 AM
    • Marked as answer by Gexhi Tuesday, November 3, 2015 2:05 PM
    Monday, October 26, 2015 12:29 PM
  • The only trouble you will have is with the users that were created and deleted in between reports.

    Nosh Mernacaj, Identity Management Specialist

    Monday, October 26, 2015 3:34 PM
  • I thank you all for your responses!
    Tuesday, November 3, 2015 2:04 PM