Re: How do I see who created a user/group/OU in W2k3 AD???

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Sat, 17 Mar 2007 01:13:36 +0100

see below INLINE

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"islanman" <islanman@xxxxxxxxx> wrote in message
news:1173912184.820552.261010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi...

I'm looking for tips/pointers on the following:

*How can I determine WHO created a user/group/OU in AD?

Account Management is enabled by default and when a security principal is
created it is logged in the security log of the DC where the sec. princ. was
created. Be aware that information may not be available anymore. However you
still need to determine on which DC it was created to be able to see which
security log to check. See third answer

*How can I determine WHEN the objects were created?

see the whenCreated attribute of the object. See third answer

*How can I determine WHERE the objects were created?

retrieve the AD metadata of the object using:
REPADMIN /SHOWOBJMETA <DC> "<object DN>"

the objectClass attribute will tell where the object was created

34 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date
Ver Attribute
======= =============== ========= =============
=== =========
14785 HQ\LHFSRWDC1 14785 2007-02-20
10:55:10 1 objectClass
36921 HQ\LHFSRWDC1 36921 2007-03-15
19:00:56 3 cn
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 sn
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 description
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 givenName
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 initials
14785 HQ\LHFSRWDC1 14785 2007-02-20
10:55:10 1 instanceType
14785 HQ\LHFSRWDC1 14785 2007-02-20
10:55:10 1 whenCreated
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 displayName
36918 HQ\LHFSRWDC1 36918 2007-03-15
19:00:56 2 isDeleted
14785 HQ\LHFSRWDC1 14785 2007-02-20
10:55:10 1 nTSecurityDescriptor
36921 HQ\LHFSRWDC1 36921 2007-03-15
19:00:56 3 name
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 2 userAccountControl
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 3 codePage
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 3 countryCode
14786 HQ\LHFSRWDC1 14786 2007-02-20
10:55:10 1 dBCSPwd
14786 HQ\LHFSRWDC1 14786 2007-02-20
10:55:10 1 logonHours
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 unicodePwd
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 ntPwdHistory
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 3 pwdLastSet
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 3 primaryGroupID
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 supplementalCredentials
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 1 operatorCount
14785 HQ\LHFSRWDC1 14785 2007-02-20
10:55:10 1 objectSid
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 1 adminCount
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 3 accountExpires
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 lmPwdHistory
14785 HQ\LHFSRWDC1 14785 2007-02-20
10:55:10 1 sAMAccountName
36919 HQ\LHFSRWDC1 36919 2007-03-15
19:00:56 3 sAMAccountType
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 userPrincipalName
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 1 lastKnownParent
36918 HQ\LHFSRWDC1 36918 2007-03-15
19:00:56 3 objectCategory
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 msDS-Site-Affinity
36909 HQ\LHFSRWDC1 36909 2007-03-15
18:57:31 2 lastLogonTimestamp
0 entries.
Type Attribute Last Mod Time Originating
DSA Loc.USN Org.USN Ver
======= ============ =============
================= ======= ======= ===
Distinguished Name
=============================

Thanks in advance. This is a great group!

jw

References:
- How do I see who created a user/group/OU in W2k3 AD???
  - From: islanman

Prev by Date: Re: cannot extend schema for R2
Next by Date: Re: Inactive User Logins
Previous by thread: Re: How do I see who created a user/group/OU in W2k3 AD???
Next by thread: Re: How do I see who created a user/group/OU in W2k3 AD???
Index(es):
- Date
- Thread

Relevant Pages

Re: How To Determine from Which Computer a User Logged Onto Domain
... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... log and that is just more complicated than searching in the security log. ...
(microsoft.public.windows.server.active_directory)
Re: Script to create multiple groups
... sAMAccountName ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... How can I change to work for multiple groups? ...
(microsoft.public.windows.server.active_directory)