Mar 28 2022 04:54 AM
Hi,
I'm developing some scripts in order to have some visibility of some key issues within user creation.
So I have a powershell script that reads some information about the users created in a 7 day range and sends it over email for analysis. One detail I'm missing is about each new created user, who was it created by. I've searched a bit, and that's event 4720 registered on Security Event Log for each DC. The issue is that due to the amount of events being created, I only have about 3/4h of events on the security event log.
So to overcome this issue, what I considered was while creating the AD User, being able to use a custom field to write the creator user as well, so this way I would have all the information I need. Is this something possible?
Thanks
Mar 28 2022 07:56 AM
@dmarquesgn If you use a script to create the user (which you run as the admin account that you want to be registered) you could add something like this:
Set-ADUser -Identity username -Add @{
extensionAttribute1 = $env:username
}
Mar 28 2022 10:17 AM
Mar 28 2022 10:28 AM
Mar 29 2022 04:46 AM
If the people doing the creating are members of the "admin" groups (i.e. Enterprise Admins, Domain Admins or Administrators) then the following won't help you. But if you've gone down the best practice route of removing everyone and leveraging Active Directory delegation, read on.
When a "non-admin" creates an object in Active Directory, the "owner" within the ACL (click the Advanced button in the Security tab to see the listed owner if you're not sure how/where to check this) is set to the creator's account. Ergo, you can report on the "owner" and the process is tool-agnostic (see caveat below about middleware.)
If everyone's just been dumped in one of the "admin" groups, this won't work as when such people create objects, the "owner" value is set to "Domain Admins" instead of the person doing the creating.
The caveat is middleware that performs the administration activities under its own process identity. That won't help with native reporting as outlined above but it's possible such products have their own internal reporting mechanisms you can leverage.
Cheers,
Lain
Mar 30 2022 08:09 AM