Export filter sort AD users

Question

I am currently looking for a solution to create a powershell script that would allow me to Get-Aduser but on a level of creation, such as: I created 50 users since last month. My colleague created 20. I would like to export and show only the users I have created, even though it's the exact same period. would this be possible? I currently have no idea from where to start or how to deal with this. Any type of help would be appreciated.

Answer 1

would this be possible?

Sure, if you store your Domain Controller Security event logs for that long.

The creator of an object is not recorded in the directory itself, but the information is logged, assuming correctly configured audit policy on the DCs.

This is obviously easier to report on if you have a SIEM or at least some central log store. But if not, you can query the domain controllers directly for these logs:

# Event id 5137 == a directory object was created
$EventId = 5137
# We only want events instigated by ourselves
$Subject = $env:USERNAME
# ... over the last month
$Since = (Get-Date).AddMonths(-1)

# Prepare XPath filter
$timestamp = Get-Date $Since -Format s
$XPathFilter = "*[System[TimeCreated[@SystemTime>'$timestamp']][EventID=$EventId]][EventData[Data[@Name = 'SubjectUserName'] = '$Subject']]"

# Search all the domain controllers
$ObjectCreationEvents = Get-ADDomainController -Filter * |ForEach-Object {
  Get-WinEvent -FilterXPath $XPathFilter -LogName Security -ComputerName $_.HostName
}

The resulting events will have the unique objectGuid value of each object as well, allowing us to eaily locate them again:

$ObjectCreationEvents |ForEach-Object {
  # Extract object ID
  $guid = $_.ToXml().SelectSingleNode('//*[local-name() = "Data" and @Name = 
"ObjectGUID"]').InnerText

  # Query the actual object
  Get-ADObject -Identity $guid
}