By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Get a List of Active Directory User Accounts Created in Last 24 hours

Authored by: Support.com Tech Pro Team

1. Introduction

How to Get a List of Active Directory User Accounts Created in Last 24 hours

 

2. Step1: Configuring the audit policy

  1. Type GPMC.MSC in the “Run” window to open the “Group Policy Management” console. You can also access it from the “Start Menu” or “Administrative Tools” in Control Panel.
  2. Go to “Forest” → “Domains” → “www.domain.com”→“Domain Controllers”.
  3. Edit any existingor newly create GPO at the domain controller level to access “Group Policy Management Editor”. You can create a new GPO and link it to the domain.
  4. Our experts recommend never to edit the “Default Domain Policy” and “Default Domain Controller Policy”. 
  5. Navigate to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies”.
  6. Select “Audit Policy” to view its policies in the right pane
Figure 1: “Group Policy Management Editor”
  1. Right-click “Audit account management”to access its properties.
  2. Click to select “Define these policy settings” checkbox. Select both “Success” and “Failure” checkboxes.
  3. Click “Apply” and “OK” to close “Audit account management Properties” window.
  4. Close “Group Policy Management Editor” window.
  5. In “Group Policy Management Console”, perform the following steps to apply this modified GPO to all Active Directory objects.
  6. Select the modified GPO.
  7. In the right pane’s “Security Filtering” section, click “Add” and type “Everyone” in the window that opens the screen.
  8. Click “Check Names” to validate the value.
  9. Click “OK” to add it.
  10. Close “Group Policy Management Console”.
  11. To update the applied policies, run the following command in “Command Prompt”:gpupdate /force

3. Step 2: Tracking newly created accounts using Event Viewer

The event ID for user creation is 4720. Following is a screenshot of the same.

The steps to spot users created in the last 24-hours in the ‘Event Viewer” are:

  • Open “Windows Event Viewer”.
  • In the console tree, go to “Windows Logs” → “Security”.
  • Click “Filter Current Log”,on the “Action” menu in the right-pane. In case if a filter is already applied, click “Clear Filter”.
  • From “Logged” drop-down list, select the corresponding time period to filter the events based on when they occurred (here we select 24 hours from the list).
  • Type Event ID (4720 for user account creation) in “Event IDs” that you want the filter to display.
  • To apply the filter, click “OK”The screenshot given below displays a list of user accounts created in the last 24 hours:

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE