How to Detect Who Created a User Account in Active Directory

Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory
  1. Run GPMC.msc → open "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings:  
    • Local Policies → Audit Policy → Audit account management → Define → Success.
    • Event Log → Define → Maximum security log size to 1gb and Retention method for security log to Overwrite events as needed.
  2. Open ADSI Edit → Connect to Default naming context → right click "DC=domain name" → Properties → Security (Tab) → Advanced → Auditing (Tab) → Click "Add" → Choose the following settings:
    • Principal: Everyone; Type: Success; Applies to: This object and all descendant objects; Permissions: Create all child objects → Click "OK".
  3. In order to define what user account was created filter Security Event Log for Event ID 4720.
  1. Run Netwrix Auditor, navigate to Reports → Active Directory → Active Directory Changes → Select "User Accounts Changes" report → View → Set "Actions" filter to "Added" and click "View Report".


Continuously Monitor Changes to Quickly Determine Who Created AD User Accounts

An attempt to create an AD user account can indicate that an outside or inside attack in intent on accessing your IT systems. By creating a user in Active Directory, a malefactor can gain access to sensitive data, as well as the ability to copy, share, edit and delete it. Therefore, Therefore, it is vital for IT admins to continuously monitor user account creation and know who has added users to Active Directory to be sure… that “the keys to the kingdom” are not in the hands of an unknown intruder.

Netwrix Auditor for Active Directory provides who-what-when-where reports on specific changes to the IT infrastructure. Using these reports, IT administrators can easily spot when anyone has created an AD account, real or fake. Moreover, if someone has been creating accounts in Active Directory without proper authority, Netwrix Auditor can roll back these unwanted changes including without any downtime. Subscribing to the User Accounts Changes report via email can help you stay informed about all Active Directory added users.

Got Feedback? Share!