In the context of IT compliance and IT security, a common question that IT managers ask is, “How do I keep track of user creations in Active Directory?” To answer this question, you have to enable the audit of Account Management in Group Policy Objects at the primary domain controller, and search for the security logs through the event viewer. In this article, you will see the way to audit user creation in Active Directory. Later on, you will also see a simpler, quicker, and better option to achieve the same objective through LepideAuditor.
Step 1: Modify an Existing or New Policy
- Open “Group Policy Management Console”.
- Create a new group policy object at the domain controller level and provide a name to it.
- Right-click on the policy and click “Edit”.
NOTE: You can also modify an existing Group Policy Object.
Step 2: Enable Account Management Policy
- In Group Policy Management Console Editor, go to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies”.
- Click “Audit Policy”. All of its audit policies are displayed in the right pane.
- Double-click “Audit Account Management” to access its properties.
- Select “Define these policy settings” checkbox.
- Now, click both “Success” and “Failure” checkboxes.
- Click “Apply” and “OK” to close the “Properties” window.
- Close “Group Policy Management Editor” and “Group Policy Management” windows.
Step 3. Relevant Event IDs
- Once you have done the audit settings, Event Viewer displays the following events for User Creations in the security log.
- Event ID 4720 is displayed for User Creation in Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2007, Windows 8.1, Windows 8, and Windows 7.
- The corresponding Event Id for Windows 2003 is 624.
Step 4: View the Event in Event Viewer
Perform the following steps:
- In the “Event Viewer” window, go to Windows → Security.
- Click “Filter Current Log” to open its window, and search for the relevant event ID that is “4720” or “624” depending on the Windows version.
- Double – click on the event to open “Properties” window.
It has two tabs: “General” and “Details”. The “General” tab show you the name of the person ‘who’ created the account in the “Account Name” field, and when this account was created in the “Logged” field, some other details are also there. On the “Details” tab, you get more information about the event.
LepideAuditor – The Simplest Way
In the following image, you can see “User Creation” report of LepideAuditor which gives information about all user additions done in Active Directory in a given time-period. The report has “Grid View” and “Graph View” to present the same information in two different ways. The records can be sorted, filtered and exported to hard disk.
In this article, you have gone through two ways of tracking user additions in Active Directory. While the native auditing is also useful, at times it can get complex and time-consuming because of noise. The second option is LepideAuditor for Active Directory, a trusted IT auditing solution.