No announcement yet.

LOGs of AD

  • Filter
  • Time
  • Show
Clear All
new posts

  • LOGs of AD

    Hello again everyone .

    Situation :
    Windows Server 2003 + Active Directory
    More Domain Administrators
    Quesion :
    My problem is : I need to find out if there is an aplication that i can install on the server so i can find out witch of the adminstrators create for example one particulary user and what date or time.

    Thank you very much .

  • #2
    Re: LOGs of AD

    You may find this by filtering the security logs for event ID 624, which is a user creation.

    You may filter the security log within Event Viewer, or you could you use the following visual basic script file to list each user created (New Account Name), the user creating the user object (Caller User Name), the active directory attribrutes set for the user object and the date and time the user object was created (Time Generated).

    Just copy and paste the below into notepad and save as .vbs file extension.

    Insert the name of your domain controllers into the Computers Array (arrComputers) with a comma delimited to separate each domain controller, for this example I have presumed the domain controllers are renamed DC1, DC2, DC3 and DC4.

    On Error Resume Next
    Const wbemFlagReturnImmediately = &h10
    Const wbemFlagForwardOnly = &h20
    arrComputers = Array("DC1","DC2","DC3","DC4")
    For Each strComputer In arrComputers
       WScript.Echo "=========================================="
       WScript.Echo "Computer: " & strComputer
       WScript.Echo "=========================================="
       Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
       Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_NTLogEvent Where Logfile = 'Security' and " _
                & "EventCode = '624'", "WQL", _
                                              wbemFlagReturnImmediately + wbemFlagForwardOnly)
       For Each objItem In colItems
          WScript.Echo "Message: " & objItem.Message
          WScript.Echo "Time Generated: " & WMIDateStringToDate(objItem.TimeGenerated)
    Function WMIDateStringToDate(dtmDate)
    WScript.Echo dtm: 
    	WMIDateStringToDate = CDate(Mid(dtmDate, 5, 2) & "/" & _
    	Mid(dtmDate, 7, 2) & "/" & Left(dtmDate, 4) _
    	& " " & Mid (dtmDate, 9, 2) & ":" & Mid(dtmDate, 11, 2) & ":" & Mid(dtmDate,13, 2))
    End Function
    MCSA 2000/2003


    • #3
      Re: LOGs of AD

      L.E. : Can someone please tell me how can i activate this records cause i dont have any of the 624 ID events.

      L.L.E : I succeded in doing this wasnt so hard ....this site helped me a lot
      Basicly u just have to activate the Audit account management to Succens and or Failure.

      Thank you very much for this information.
      I will try this now and come back with what happen .
      Last edited by bnoyzf24; 1st November 2007, 12:18.