How to Keep Track of User Creation in Active Directory
Authored by: Support.com Tech Pro Team
1. Introduction
How to Keep Track of User Creation in Active Directory
2. Step 1: Create New Policy or Modify an Existing Policy
Open “Group Policy Management Consoleâ€.
Create a new group policy object at the domain controller level and provide a name to it.
Right-click on the policy and click “Editâ€.
You can also modify an existing Group Policy Object.
3. Step 2: Enable Account Management Policy
In Group Policy Management Console Editor, go to “Computer Configuration†→ “Policies†→ “Windows Settings†→ “Security Settings†→ “Local Policiesâ€.
Click “Audit Policyâ€. All of its audit policies are displayed in the right pane.
Double-click “Audit Account Management†to access its properties.
Select “Define these policy settings†checkbox.
Now, click both “Success†and “Failure†checkboxes.
Click “Apply†and “OK†to close the “Properties†window.
Close “Group Policy Management Editor†and “Group Policy Management†windows.
4. Step 3. Relevant Event IDs
Once you have done the audit settings, Event Viewer displays the following events for User Creations in the security log.
Event ID 4720 is displayed for User Creation in Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2007, Windows 8.1, Windows 8, and Windows 7.
The corresponding Event Id for Windows 2003 is 624.
5. Step 4: View the Event in Event Viewer
In the “Event Viewer†window, go to Windows → Security.
Click “Filter Current Log†to open its window, and search for the relevant event ID that is “4720†or “624†depending on the Windows version.
Double – click on the event to open “Properties†window.
It has two tabs: “General†and “Detailsâ€. The “General†tab show you the name of the person ‘who’ created the account in the “Account Name†field, and when this account was created in the “Logged†field, some other details are also there. On the “Details†tab, you get more information about the event.
.png)
