This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Reports & Analytics
- Lansweeper report who created AD account
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-11-2023 09:16 PM - last edited on ‎04-01-2024 12:26 PM by Mercedes_O
Is it possible to create a report which shows who created the AD user account?
Solved! Go to Solution.
Labels:
- Labels:
-
Report Center
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-11-2023 09:28 PM
Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2023 07:38 AM - edited ‎05-17-2023 05:31 AM
You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.
Then run report:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
User Creation Events (event 4720)
Account Unlock (event 4767)
Account is Locked (event 4740)
An attempt was made to reset an account's password (events 4724, 4723)
A member was added to a security-enabled group (events 4728, 4732, 4756)
A member was removed from a security-enabled group (events 4729, 4733, 4757)
*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2023 11:51 PM
Ok. Is there any way we can pull just the 4720 & 4726 event IDs from AD with Lansweeper report.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-15-2023 05:16 AM - edited ‎05-15-2023 10:30 AM
It's easy to change report but there is no filter to collect concrete events. LS has only Exclusions for events and doesn't have 'white list' for events.
@ErikT @Esben_D could you add white list for information events scanning?
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4726') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2023 07:38 AM - edited ‎05-17-2023 05:31 AM
You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.
Then run report:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
User Creation Events (event 4720)
Account Unlock (event 4767)
Account is Locked (event 4740)
An attempt was made to reset an account's password (events 4724, 4723)
A member was added to a security-enabled group (events 4728, 4732, 4756)
A member was removed from a security-enabled group (events 4729, 4733, 4757)
*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2023 11:46 PM
Thanks. Let me try this and I will update.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-18-2023 09:40 PM
This suggested report includes all events except 4720 and 4726. Anyway, I appreciate the suggestion.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-19-2023 06:41 AM
You have to check these events on DCs.
If there are no events then you must enable security audit
https://www.lepide.com/how-to/enable-active-directory-security-auditing.html
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-19-2023 05:48 PM
The security audits are already enabled. I could search these events in DC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-11-2023 09:28 PM
Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.
Reports & Analytics
Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Deploy software on domain controllers without domain admin permissions? in Deployment Packages
- Windows 10 22H2 - Scanning Access denied in General Discussions
- Local Admin Account Audit in General Discussions
- ServiceNow Service Graph Connector - Use of Zip Files in General Discussions
- Intune Scanning - No V2 in List & Issues in General Discussions
