cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ap
Engaged Sweeper

Is it possible to create a report which shows who created the AD user account?

2 ACCEPTED SOLUTIONS
ErikT
Lansweeper Tech Support
Lansweeper Tech Support

Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.

View solution in original post

Mister_Nobody
Honored Sweeper II

You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.

Then run report:

 

Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

 

User Creation Events (event 4720)

Account Unlock (event 4767)

Account is Locked (event 4740)

An attempt was made to reset an account's password (events 4724, 4723)

A member was added to a security-enabled group (events 4728, 4732, 4756)

A member was removed from a security-enabled group (events 4729, 4733, 4757)

*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.

View solution in original post

8 REPLIES 8
ap
Engaged Sweeper

Ok. Is there any way we can pull just the 4720 & 4726 event IDs from AD with Lansweeper report.

Mister_Nobody
Honored Sweeper II

It's easy to change report but there is no filter to collect concrete events. LS has only Exclusions for events and doesn't have 'white list' for events.

@ErikT @Esben_D could you add white list for information events scanning?

 

Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4726') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

 

 

Mister_Nobody
Honored Sweeper II

You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.

Then run report:

 

Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc

 

User Creation Events (event 4720)

Account Unlock (event 4767)

Account is Locked (event 4740)

An attempt was made to reset an account's password (events 4724, 4723)

A member was added to a security-enabled group (events 4728, 4732, 4756)

A member was removed from a security-enabled group (events 4729, 4733, 4757)

*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.

Thanks. Let me try this and I will update. 

ap
Engaged Sweeper

This suggested report includes all events except 4720 and 4726. Anyway, I appreciate the suggestion.

Mister_Nobody
Honored Sweeper II

You have to check these events on DCs.

If there are no events then you must enable security audit

https://www.lepide.com/how-to/enable-active-directory-security-auditing.html

The security audits are already enabled. I could search these events in DC.

ErikT
Lansweeper Tech Support
Lansweeper Tech Support

Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.