How to Get a List of Active Directory User Accounts Created in Last 24 hours

Authored by: Support.com Tech Pro Team

1. Introduction

How to Get a List of Active Directory User Accounts Created in Last 24 hours

 

2. Step1: Configuring the audit policy

  1. Type GPMC.MSC in the “Run” window to open the “Group Policy Management” console. You can also access it from the “Start Menu” or “Administrative Tools” in Control Panel.
  2. Go to “Forest” → “Domains” → “www.domain.com”→“Domain Controllers”.
  3. Edit any existingor newly create GPO at the domain controller level to access “Group Policy Management Editor”. You can create a new GPO and link it to the domain.
  4. Our experts recommend never to edit the “Default Domain Policy” and “Default Domain Controller Policy”. 
  5. Navigate to “Computer Configuration” → “Policies” → “Windows Settings” → “Security Settings” → “Local Policies”.
  6. Select “Audit Policy” to view its policies in the right pane
Figure 1: “Group Policy Management Editor”
  1. Right-click “Audit account management”to access its properties.
  2. Click to select “Define these policy settings” checkbox. Select both “Success” and “Failure” checkboxes.
  3. Click “Apply” and “OK” to close “Audit account management Properties” window.
  4. Close “Group Policy Management Editor” window.
  5. In “Group Policy Management Console”, perform the following steps to apply this modified GPO to all Active Directory objects.
  6. Select the modified GPO.
  7. In the right pane’s “Security Filtering” section, click “Add” and type “Everyone” in the window that opens the screen.
  8. Click “Check Names” to validate the value.
  9. Click “OK” to add it.
  10. Close “Group Policy Management Console”.
  11. To update the applied policies, run the following command in “Command Prompt”:gpupdate /force

3. Step 2: Tracking newly created accounts using Event Viewer

The event ID for user creation is 4720. Following is a screenshot of the same.

The steps to spot users created in the last 24-hours in the ‘Event Viewer” are:

  • Open “Windows Event Viewer”.
  • In the console tree, go to “Windows Logs” → “Security”.
  • Click “Filter Current Log”,on the “Action” menu in the right-pane. In case if a filter is already applied, click “Clear Filter”.
  • From “Logged” drop-down list, select the corresponding time period to filter the events based on when they occurred (here we select 24 hours from the list).
  • Type Event ID (4720 for user account creation) in “Event IDs” that you want the filter to display.
  • To apply the filter, click “OK”The screenshot given below displays a list of user accounts created in the last 24 hours: