PS Script

---

Hi All, I was wondering if anyone can help.

I was looking for a PowerShell script that will export data of when all the local accounts were created on a sever?

I can see when the user profile was created but not the account itself.

Thanks

Hey @Waqkas-Ahmed ,

Active Directory users have a 'Created' property, which you can access with the Get-ADUser cmdlet

Get-ADUser -Identity mike -Properties created

Created           : 5/1/2018 10:13:53 AM
DistinguishedName : CN=Mike Rodrick,OU=Hosts,OU=Employees,DC=itprotvdemo,DC=com
Enabled           : True
GivenName         : Mike
Name              : Mike Rodrick
ObjectClass       : user
ObjectGUID        : 7b00cee5-a1cb-4f80-b2aa-dd3837996ded
SamAccountName    : mike
SID               : S-1-5-21-2188304144-249357871-1439484412-1104
Surname           : Rodrick
UserPrincipalName : mike@itprotvdemo.com

There is also a whenCreated property, they seem to be the same.

Local accounts do not have this property.

Get-LocalUser -Name Mike | Select *

This will list all properties available through PowerShell:

AccountExpires         :
Description            :
Enabled                : True
FullName               : Mike Rodrick
PasswordChangeableDate : 1/22/2019 11:42:49 AM
PasswordExpires        :
UserMayChangePassword  : True
PasswordRequired       : True
PasswordLastSet        : 1/22/2019 11:42:49 AM
LastLogon              :
Name                   : mike
SID                    : S-1-5-21-1069031296-2743270012-4265884690-1002
PrincipalSource        : MicrosoftAccount
ObjectClass            : User

That leaves us with the Event Log. You could look in the Security Event Log for Event ID 4720, which is generated when a new user is created.

Get-EventLog -LogName Security -InstanceId 4720

Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
  237573 Jul 01 11:16  SuccessA... Microsoft-Windows...         4720 A user account was created....

Depending on how far back your log files go, this might provide the information you need.

You could script that to run against a list of remote machines.

Hope this helps

I have now enabled the account management auditing. Just tested with a test user and works fine. Shows when logged in Event Viewer.

However, do you know if there is a workaround for finding the creation date for historic users on the server?

I don't believe there is a way for local users, only domain users.

From Microsoft:

Unlike AD user objects, local user objects (in the local SAM account database) have no attribute that indicates when the object was created. The only recourse is the system logs, and even if auditing is enabled they may not go back very far in time.

The system does not record when a local account is created.

Some people have suggested looking at the created date listed in the properties of the profile folder (C:\users\mike). But this isn't accurate. The profile is created on first login, not when the account is created. In my experiments, this date isn't consistent either. Some folders inside my profile show a date prior to the date on the profile itself.

So the only way I can find to determine when a local account was created is to examine the log files. If they have been purged or rolled over, that information might not be available anymore.

Thanks @Mike-Rodrick