This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Reports & Analytics
- Re: Lansweeper report who created AD account
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2023
09:16 PM
- last edited on
04-01-2024
12:26 PM
by
Mercedes_O
Is it possible to create a report which shows who created the AD user account?
Solved! Go to Solution.
Labels:
- Labels:
-
Report Center
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2023 09:28 PM
Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2023 07:38 AM - edited 05-17-2023 05:31 AM
You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.
Then run report:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
User Creation Events (event 4720)
Account Unlock (event 4767)
Account is Locked (event 4740)
An attempt was made to reset an account's password (events 4724, 4723)
A member was added to a security-enabled group (events 4728, 4732, 4756)
A member was removed from a security-enabled group (events 4729, 4733, 4757)
*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2023 11:51 PM
Ok. Is there any way we can pull just the 4720 & 4726 event IDs from AD with Lansweeper report.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2023 05:16 AM - edited 05-15-2023 10:30 AM
It's easy to change report but there is no filter to collect concrete events. LS has only Exclusions for events and doesn't have 'white list' for events.
@ErikT @Esben_D could you add white list for information events scanning?
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4726') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2023 07:38 AM - edited 05-17-2023 05:31 AM
You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.
Then run report:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
User Creation Events (event 4720)
Account Unlock (event 4767)
Account is Locked (event 4740)
An attempt was made to reset an account's password (events 4724, 4723)
A member was added to a security-enabled group (events 4728, 4732, 4756)
A member was removed from a security-enabled group (events 4729, 4733, 4757)
*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2023 11:46 PM
Thanks. Let me try this and I will update.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-18-2023 09:40 PM
This suggested report includes all events except 4720 and 4726. Anyway, I appreciate the suggestion.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2023 06:41 AM
You have to check these events on DCs.
If there are no events then you must enable security audit
https://www.lepide.com/how-to/enable-active-directory-security-auditing.html
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-19-2023 05:48 PM
The security audits are already enabled. I could search these events in DC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-11-2023 09:28 PM
Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- User login fails to onprem Lansweeper for AD user in Product Discussions
- New Q&A Forum Board Now Available! in General Discussions
- Using Lansweeper Cloud in General Discussions
- NEW SPACE NOW LIVE - The Lounge for New Users in Product Discussions
- Help me creating a report in classic Lansweeper - Software uninstalled in the last 30 days in Reports & Analytics
