How to Identify the Creator of an Account in Active Directory

Learn to find who created an account in Active Directory by enabling auditing and checking security logs.

289 views

To find who created an account in Active Directory (AD), enable auditing through Group Policy. Navigate to 'Computer Configuration' > 'Policies' > 'Windows Settings' > 'Security Settings' > 'Advanced Audit Policy Configuration' > 'Audit Policies' > 'Account Management' and enable both 'Audit User Account Management' and 'Audit Security Group Management'. This allows monitoring, and logs can be reviewed in Event Viewer under 'Security' logs to identify the account creator by searching for relevant Event IDs like 4720 (user creation).

FAQs & Answers

  1. What is Active Directory auditing? Active Directory auditing is a security feature that allows administrators to monitor changes made to user accounts and groups, helping to track who made specific changes and when.
  2. How do I enable auditing in Group Policy? To enable auditing in Group Policy, navigate to 'Computer Configuration' > 'Policies' > 'Windows Settings' > 'Security Settings' > 'Advanced Audit Policy Configuration', and configure the desired audit policies under 'Audit Policies'.
  3. What are Event IDs in Active Directory? Event IDs are numeric codes that correspond to specific system events in Windows logs. For example, Event ID 4720 indicates a user account creation event in Active Directory.
  4. How can I view security logs in Event Viewer? To view security logs in Event Viewer, open Event Viewer, navigate to 'Windows Logs' > 'Security', and search for the relevant Event IDs to find specific account creation actions.