This week I needed to figure out when a group was created in one of the Active Directory environments that I provide support for. I looked at the group using “Active Directory Users and Computers” and didn’t see anything that would tell me when it was created. I did a quick Google search and found a way to accomplish this for a similar item (a user object) using VBScript. The example for a user object that I found was on a “Hey, Scripting Guy! Blog”.
Here’s an example of how to find out when a group in Active Directory was created:
1 2 | Set objGroup = GetObject("LDAP://cn=my group, ou=test, dc=mikefrobbins, dc=com") Wscript.Echo objGroup.WhenCreated |
And here’s an example of how to find out when a group in Active Directory was modified:
1 2 | Set objGroup = GetObject("LDAP://cn=my group, ou=test, dc=mikefrobbins, dc=com") Wscript.Echo objGroup.WhenChanged |
µ
sign me up
Hi,
I’m not a coder, just a computer enthusiast who need to know when an account was created on a computer running XP Pro SP3.
Where do I type the above code?
Do I need to substitute any part of it with the specific account name?
Please advice on how to use the above code.
Thank you and I appologize for my computer skils not being up to par.
Danny
Open up notepad, enter one of the commands, and save it as a .vbs file instead of a .txt file.
µ
The script won’t offer the kind of reporting and filtering capabillities necessary for compliance purposes. If you need to monitor changes to AD for compliance, use the freeware version of netwrix active directory change reporter (www.netwrix.com), which monitors all changes made to AD. It sends daily reports that highlight all modifications, including those made to group memberships. It’s pretty useful.
I haven’t run the script so don’t know if it provides more detail. isn’t the information simply found on the Object tab of the Properties dialog box? This shows creation and last modified dates.
Just open AD in advanced view than you have Tab Object and there is when group/user/… was created and modifed
How to find out who created the group?
Use the AD advanced option and search the group, Go to the group security tab, click on advanced and click on Owner. You shoul dbe able to see the creator / Owners account updated. Though you can change it manually. In most of the case the data is genuie / untouched.
Auditing must be enabled to track such changes in AD infra.
By the way, Lepide active directory auditing also provides an automated way to track the changes made in active directory into real time. More information can be obtained at http://www.lepide.com/lepideauditor/active-directory-auditing.html