‎05-11-2023 09:16 PM - last edited on ‎04-01-2024 12:26 PM by Mercedes_O
Is it possible to create a report which shows who created the AD user account?
Solved! Go to Solution.
‎05-11-2023 09:28 PM
Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.
‎05-12-2023 07:38 AM - edited ‎05-17-2023 05:31 AM
You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.
Then run report:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
User Creation Events (event 4720)
Account Unlock (event 4767)
Account is Locked (event 4740)
An attempt was made to reset an account's password (events 4724, 4723)
A member was added to a security-enabled group (events 4728, 4732, 4756)
A member was removed from a security-enabled group (events 4729, 4733, 4757)
*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.
‎05-12-2023 11:51 PM
Ok. Is there any way we can pull just the 4720 & 4726 event IDs from AD with Lansweeper report.
‎05-15-2023 05:16 AM - edited ‎05-15-2023 10:30 AM
It's easy to change report but there is no filter to collect concrete events. LS has only Exclusions for events and doesn't have 'white list' for events.
@ErikT @Esben_D could you add white list for information events scanning?
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4726') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
‎05-12-2023 07:38 AM - edited ‎05-17-2023 05:31 AM
You must enable Scan Information events on https://ls_server/Configuration/ServerOptions/ page.
Then run report:
Select Top 10000000 tblAssets.AssetID,
tblAssets.AssetName,
tsysAssetTypes.AssetTypeIcon10 As icon,
tblAssets.IPAddress,
tblAssets.Username,
tblNtlogSource.Sourcename,
tblNtlog.Eventcode,
tblNtlog.TimeGenerated,
tblNtlogMessage.Message,
tblAssets.OScode
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Where tblNtlog.Eventcode In ('4720', '4740', '4723', '4724', '4772', '4767',
'4728', '4732', '4756', '4729', '4733', '4757') And
tblAssetCustom.State = 1
Order By tblNtlog.TimeGenerated Desc
User Creation Events (event 4720)
Account Unlock (event 4767)
Account is Locked (event 4740)
An attempt was made to reset an account's password (events 4724, 4723)
A member was added to a security-enabled group (events 4728, 4732, 4756)
A member was removed from a security-enabled group (events 4729, 4733, 4757)
*Sometimes LS ignore events and doesn't collect all. So you have to checks DC events and LS-collected events.
‎05-12-2023 11:46 PM
Thanks. Let me try this and I will update.
‎05-18-2023 09:40 PM
This suggested report includes all events except 4720 and 4726. Anyway, I appreciate the suggestion.
‎05-19-2023 06:41 AM
You have to check these events on DCs.
If there are no events then you must enable security audit
https://www.lepide.com/how-to/enable-active-directory-security-auditing.html
‎05-19-2023 05:48 PM
The security audits are already enabled. I could search these events in DC.
‎05-11-2023 09:28 PM
Unfortunately, Lansweeper does not scan who created the AD user account and thus this cannot be reported on.
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now