Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Mar 28, 2022

Write custom field on user creation on AD

Hi,   I'm developing some scripts in order to have some visibility of some key issues within user creation. So I have a powershell script that reads some information about the users created in a 7...
Active Directory
powershell
Harm_Veenstra's avatar
Harm_Veenstra
MVP
Mar 28, 2022

dmarquesgn If you use a script to create the user (which you run as the admin account that you want to be registered)  you could add something like this:

  Set-ADUser  -Identity username -Add @{
    extensionAttribute1 = $env:username
  }

 

 

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Mar 28, 2022
Hi,

Thanks. I understand and that would be great. But in our organization, where we got about 20 people creating and managing users, it will be really difficult to implement such a huge change on the user creation and management process. Most of the team is still very dependent of the GUI tools.
Do you see any other way?

Thanks
  • LainRobertson's avatar
    LainRobertson
    Silver Contributor
    Mar 29, 2022

    dmarquesgn 

     

    If the people doing the creating are members of the "admin" groups (i.e. Enterprise Admins, Domain Admins or Administrators) then the following won't help you. But if you've gone down the best practice route of removing everyone and leveraging Active Directory delegation, read on.

     

    When a "non-admin" creates an object in Active Directory, the "owner" within the ACL (click the Advanced button in the Security tab to see the listed owner if you're not sure how/where to check this) is set to the creator's account. Ergo, you can report on the "owner" and the process is tool-agnostic (see caveat below about middleware.)

     

    If everyone's just been dumped in one of the "admin" groups, this won't work as when such people create objects, the "owner" value is set to "Domain Admins" instead of the person doing the creating.

     

    The caveat is middleware that performs the administration activities under its own process identity. That won't help with native reporting as outlined above but it's possible such products have their own internal reporting mechanisms you can leverage.

     

    Cheers,

    Lain

  • Harm_Veenstra's avatar
    Harm_Veenstra
    MVP
    Mar 28, 2022
    Then you would have to run a Scheduled Task, checking the Domain Controllers logs to see if a User Account Created eventlog entry was recorded in the last hour. From there you could use that event to either log that event to a source or use it to fill a AD attribute. But if it's just for logging, you could use a tool/script to read the eventlog and dump it to a shared location. Does it have to be record in the useraccount?
    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor
      Mar 30, 2022
      Hi,
      No, recording in the user account is just something that if would be possible would be really nice, as then I could just run an Get-ADUser and extract all at once.
      But if I can log it, then I can create something from there.
      Thanks

Resources