What is required to create a query to indicate the user who created a particular Windows Active Directory account

Article:TECH157616  |  Created: 2011-04-07  |  Updated: 2011-04-14  |  Article URL http://www.symantec.com/docs/TECH157616
Article Type
Technical Solution


Environment

Issue



Would like a query to show who created an active user account.


Environment



CCS Data Collections 9.0.1 CHF=6 Windows 2003 SP2 32 bit no admin.pak installed on Data Collection server - ECS on same server. non-domain admin account as ccs admin trying to run active directory queries.


Solution



Information regarding; obtaining the source of who created the user id within Active Directory is needed.
 
1.  Is  account management auditing turned on for successful audits as well as failures.
 
 
2.  If auditing is turned on for successful audits as well as failures the event id that captures the information of who created the Active Directory account will be required.
 
3.  This information can be used to create an events query to obtain who created a particular account within active directory using a event log query.
 
 
If auditing is not turned on prior to the creation of the user, the event was not created there for can not be queried.

Note continue after all of the requirements above are met;

Creating your query;

1. Open a new Query by selecting the icon that appears as a red book.

This Opens a Select a data source window.

2. Expand the bv-Control for Windows data source.

Example of  the different options of Event logs ;
Application
DNS
Directory Service
File Replication Service
Security
Systems

For this example the Event Log (Security) was choose.

3.  Select OK

In the Field Specification tab.  The selected fields will be automatically propagated.

4. Locate the Available Fields section;
a.  Expand the Event Information Field;
b. Select  the Event Description <FORM> -> select Add
c. Select the User Name ->Select Add

5. Now select the scope Tab

a. Expand Active Directory
b. Expand the appropriate DOMAIN
c. Expand Domain Controllers
d. Select the specific [Domain Controller]
c. Add Scope


A window named Additional Settings will open.
 

Select the Event Filtering Options radio button

{located on the right bottom corner of window}
 

Select the appropriate Filter matching Options.

a.  In the Log Property/Field: drop down menu->Select Event Id

b. In the Comparison field: drop down menu->Select  Equals

c.  In the Filter Value field: Enter a numeric value of the event id  

Note: The event id to create an id is 624 and to delete is 630.
Select Add

Repeat for each additional event id values that are to be queried.
Select OK

Select OK


Select OK
 

Select Run




Article URL http://www.symantec.com/docs/TECH157616


Terms of use for this information are found in Legal Notices