Announcement

Collapse
No announcement yet.

is there a log of newly created users or deleted?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • is there a log of newly created users or deleted?

    Does AD keep a log of user accounts created or deleted?

    it would be nice if there was a log that lists all user accounts ever created or deleted, etc..

    i don't know if such a thing exists or not.

    Thanks,

  • #2
    Re: is there a log of newly created users or deleted?

    No such list. Nearest thing is the security event log on the DC's.

    Comment


    • #3
      Re: is there a log of newly created users or deleted?

      oh well..it was a dream.


      Thanks

      Comment


      • #4
        Re: is there a log of newly created users or deleted?

        For newly created accounts you can query AD by checking whenCreated attribute.

        Below is an example of script I used for MOM to generate a weekly report of newly created users:
        Code:
        Option Explicit
        
        Const EVENT_TYPE_SUCCESS = 0
        Const EVENT_TYPE_ERROR   = 1
        Const EVENT_TYPE_WARNING = 2
        Const EVENT_TYPE_INFORMATION = 4
        Const EVENT_TYPE_AUDITSUCCESS = 8
        Const EVENT_TYPE_AUDITFAILURE = 16
        
        Const EVENT_SOURCE = "Internal Audit Process"
        Const DEFAULT_AUDIT_PERIOD = -7
        Const EVENT_ID = 1002
        
        Dim iCount, auditPeriod
        Dim strDefaultNamingContext, oRoot, objUser
        Dim oConnect, Command, strLdapQuery, Rs
        Dim strNewUsersLastWeek, strEventText
        Dim myDate, utcDate, myMonth, MyDay
        
        
        
        ' *******************************
        ' Set Stuff Up
        ' *******************************
        Set oConnect = CreateObject("ADODB.Connection")
        Set Command = CreateObject("ADODB.Command")
        
        
        ' Get the parameters
        auditPeriod = ScriptContext.Parameters.Get("auditPeriod")
        If auditPeriod="" Then
        	auditPeriod = DEFAULT_AUDIT_PERIOD
        Else
        	If auditPeriod > 0 Then
        		auditPeriod = auditPeriod * -1
        	End If
        End If
        
        
        'Calculate the date AUDIT_PERIOD days ago and convert to 
        ' format that can be used in LDAP query
        myDate = DateAdd("d",auditPeriod ,Now())
        If Month(myDate) < 10 Then
        	myMonth = "0" & Month(myDate)
        Else 
        	myMonth = Month(myDate)
        End If
        If Day(myDate) < 10 Then
        	myDay = "0" & Day(myDate)
        Else 
        	myDay = Day(myDate)
        End If
        
        utcDate = Year(myDate) & myMonth & myDay & "000000.0Z"
        
        
        ' Find our default naming context...
        Set oRoot = GetObject("LDAP://rootDSE")
        strDefaultNamingContext = oRoot.get("defaultNamingContext")
        Set oRoot = Nothing
        
        iCount = 0
        
        '--- search for object in AD ---
        strldapquery = "<LDAP://" & strDefaultNamingContext & ">;" & _
        "(&(objectCategory=person)(objectClass=user)"& _
        "(whenCreated>=" & utcDate & "));sAMAccountName,aDSPath,whenCreated;subtree"
        
        
        oConnect.Provider = "ADsDSOObject"
        oConnect.Open "Active Directory Provider"
        
        Set Command.ActiveConnection = oConnect
        
        ' Avoid paged query limitations
        Command.Properties("Page Size") = 100
        Command.CommandText = strLdapquery
        
        Set Rs = Command.Execute 'Execute the query
        
        Do While Not Rs.EOF and Not Rs.BOF  
        	strNewUsersLastWeek = strNewUsersLastWeek & vbCrLf & _
        	Rs.Fields("sAMAccountName") & vbTab & vbTab & "(" & Rs.Fields("aDSPath") & ")"
            	iCount = iCount + 1        
            	Rs.MoveNext
        Loop
        
        Set oConnect = Nothing
        Set Command = Nothing
        
        
        If iCount > 0 Then
        	strEventText = "A total of " & iCount & " accounts have been created within last week." & vbCrLf & _
        		"The accounts are:" & vbCrLf & strNewUsersLastWeek 
        Else
        	strEventText = "No new user accounts have been created within last week."
        End If
        CreateEvent EVENT_ID, EVENT_TYPE_AUDITFAILURE, EVENT_SOURCE, strEventText
        
        
        Sub CreateEvent(intEventNumber,intEventType,strEventSource,strEventMessage)
            Dim objEvent
            Set objEvent = ScriptContext.CreateEvent()
            objEvent.EventSource = strEventSource
            objEvent.EventNumber = intEventNumber
            objEvent.EventType = intEventType 
            objEvent.Message = strEventMessage
            ScriptContext.Submit objEvent
            Set objEvent = Nothing
        End Sub
        If you are interested in recently deleted user accounts (within 60 days if the deletion was performed on non-W2K3 SP1 DC and 180 days if W2K3 SP1), you can query the Deleted Objects container and look at the tombstones if security event logs are not your cup of tea
        Or, if you have MOM, you can configure it to look at the event logs of all DCs and alert you on user account creation/deletion.
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment

        Working...
        X