How to find who created an AD account with PowerShell and ADAudit Plus

Steps to obtain a user account report in Windows PowerShell

• Define the domain from where the report should be generated.
• Define the UPN and sAMaccount name for the newly created account.
• Define the domain controller to retrieve the report from.
• Execute the script.

Find the user who created an account

Code:

$dcs = Get-ADDomainController -Filter {Name -like "*"}

$upn = 'sometext@gmail.com'

Get-WinEvent -FilterHashtable @{LogName='Security';Id=4720} |
Where-Object { $_.Message -match "user principal name:\s+$upn" } |
Select-Object -Expand Message |
Select-String '(?<=subject:\s+security id:\s+\S+\s+account name:\s+)\S+' |
Select-Object -Expand Matches |
Select-Object -Expand Value
$exportFilePath = "c:\scripts\lastLogon.csv"
$columns = "username,datetime"
Out-File -filepath $exportFilePath -force -InputObject $columns

Steps to obtain a user management report in ADAudit Plus

• Login to ADAudit Plus web console using administrator credential. Select the 'Reports' tab and navigate to 'User Management' panel on the left.
• Select the 'Recently Created User' report. In the advanced search filter, select 'SAM account' 'is' 'account_name'
• Under the 'Caller Username' column, you can view who has created the account.
• You can also choose to export this report in the desired format (CSV, HTML, XLS, PDF) using the export option.

Screenshot