8,330 questions
Hi @Gurudas ,
this is only possible if Active Directory Auditing has been enabled. Then an event is written to the Security event Log on a domain controller.
So, if you have enabeld this, you need to get all AD groups and search for a Audting event, which references this group, then check who the Creator of the group is.
It is not an trivial task to achieve.
Here is also how Auditing can be enabled in Active Directory:
How to Enable the Security Auditing of Active Directory
https://www.lepide.com/how-to/enable-active-directory-security-auditing.html
and here is an example of how to find a user account in AD, created by a specific user, the logic for groups is the similar:
How to Check Who Created a User Account in AD?
http://woshub.com/getting-ad-accounts-created-in-the-last-24-hours/
instead of using "Get-ADUser" you need to use "Get-ADGroup", the rest is the same...
Here is a reference to the event, a post from the forums:
Powershell - Identify the user account who has created accounts in AD
https://learn.microsoft.com/en-us/answers/questions/412084/powershell-identify-the-user-account-who-has-creat.html
Hope I could help you out!
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Stoyan Chalakov
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)