Write custom field on user creation on AD

David Marques 41 Reputation points
2022-03-28T12:53:01.577+00:00

Hi,

I'm developing some scripts in order to have some visibility of some key issues within user creation.

So I have a powershell script that reads some information about the users created in a 7 day range and sends it over email for analysis. One detail I'm missing is about each new created user, who was it created by. I've searched a bit, and that's event 4720 registered on Security Event Log for each DC. The issue is that due to the amount of events being created, I only have about 3/4h of events on the security event log.

So to overcome this issue, what I considered was while creating the AD User, being able to use a custom field to write the creator user as well, so this way I would have all the information I need. Is this something possible?

Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,462 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,831 Reputation points
    2022-03-28T13:08:50.53+00:00

    Hi,

    So to overcome this issue, what I considered was while creating the AD User, being able to use a custom field to write the creator user as well, so this way ****I would have all the information I need. Is this something possible?

    If the event collection is complicated for you, you can user description field to mention who created user account while its creation.

    Please don't forget to mark helpful reply as answer

    0 comments No comments

  2. David Marques 41 Reputation points
    2022-03-28T13:35:08.243+00:00

    Hi,

    Thanks for the reply.
    But my goal is not a manual note on the description field. The goal is to automate it. Basically change AD behavior in order to write automatically the creator user into a custom field.
    I need to know if this is possible and some guidance to reach it.

    Thanks in advance.

    0 comments No comments

  3. Thameur-BOURBITA 32,831 Reputation points
    2022-03-28T13:53:24.04+00:00

    Hi,

    But my goal is not a manual note on the description field. The goal is to automate it. Basically change AD behavior in order to write automatically the creator user into a custom field.

    No, it's not possible. There is a attribute to know when the user account was created but we can't know who create it. You should check event viewer.
    However ,You can add this kind of information manually in description field as mentioned in may previous answer while the user creation process using powershell command for example.

    Please don't forget to update helpful reply as answer

    0 comments No comments

  4. Gary Reynolds 9,416 Reputation points
    2022-03-28T17:48:58.693+00:00

    Hi @David Marques

    There is a couple of option you could look at but they are not simple:

    One possible option is to use the object owner, when an object is created the user that created the object is set as the owner in the security descriptor. However, if the user that created the object is a member of domain admins, then by default, domain admins will be marked as the owner. You can turn off this behaviour however it could cause you problems with permission management at a later date.

    Another option is to implement a SIEM which would collect the logs and would be able to produce the report on object creation.

    Another option is to creation a new properties page add-on for ADUC which could automatic add the user creating the object to an attribute. See this page for more details
    https://learn.microsoft.com/en-us/windows/win32/ad/extending-the-user-interface-for-directory-objects

    Gary.


  5. David Marques 41 Reputation points
    2022-03-30T10:55:24.397+00:00

    Hi,

    Thanks for the inputs. I know it's something that's not easy.
    We have a SIEM, but it's not ours, it's provided as a service, so I would like to avoid that, but probably I'll have to explore that option.

    Thanks

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.