Who created an AD Account

[spazman]

I have searched here and google to no avail.

Does anyone know if AD stores WHO created an account? I have looked through the Schema and can't find it, however as you know the names aren't always what you think you are looking for.

If so, how do I access that info?

Thanks in Advance.

 

[itsp1965]

If you have auditing enabled for user account mgmt, then any new account changes would be showing up in the security event log under EventID 624

 

[spazman]

So, nothing id AD?

 

[kmcferrin]

Nope.

 

[spazman]

Thank you.

 

[kmills]

spazman,

Actually, with a little searching, you can usually identify who created an account. Look under the Security tab of the properties of the account. The user who created the account must have at least these four permissions (and probably a lot more):

Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions

http://support.microsoft.com/kb/238793

I have used this more than once to track down who created a computer account.

kmills

 

[kmcferrin]

That won't work for user accounts, and may not always work for computer accounts.

If you want to always be able to document it, then you pretty much have to make it a policy/procedure to put notes on the account indicating who created it and why. Usually we just put in a reference to a ticket number in our helpdesk system since all account creations require a ticket. Then if we find one that doesn't have a note on it we disable the account.