3
1
I would like to know if windows remembers or logs(maybe event viewer) when a new user account is created then added to the administrators localgroup.
Ex..
A network account user creates a local user on a machine called anonuser then adds it to the administrators localgroup all through the command line.
If another user wants to know who created anonuser can that be accomplished?
Beall619
Posted 2017-03-10T19:15:48.900
Reputation: 33
5
Look for Event ID 4720: A user account was created:
4720: A user account was created
The user identified by Subject: created the user identified by New Account:.
Attributes show some of the properties that were set at the time the account was created. Notice account is initially disabled.
This event is logged both for local SAM accounts and domain accounts.
You will see a series of other User Account Management events after this event as the remaining properties are punched down, password set and account finally enabled.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
See the source link below for a full list of Categories and Subcategories for the event.
Source 4720: A user account was created
Look for Event ID 4732: A member was added to a security-enabled local group:
4732: A member was added to a security-enabled local group
The user in Subject: added the user/group/computer in Member: to the Security Local group in Group:.
This event is logged on domain controllers for Active Directory domain local groups and member computer for local SAM groups. You can determine if the group is a domain or SAM group by comparing Group Domain: to the Computer: name. If they match you have a SAM group, if they differ you have a domain group.
Active Directory
- In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists. A domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain.
Local SAM
- All groups are security groups in the computer's SAM. Local SAM groups can be granted access to objects on the local computer only but may have members from the local SAM and any trusted domain.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
See the source link below for a full list of Categories and Subcategories for the event.
Source 4732: A member was added to a security-enabled local group
DavidPostill
Posted 2017-03-10T19:15:48.900
Reputation: 118 938
Let's say all the event viewer logs are permanenty wiped. Is it still possible to discover who created
anonuser? – Beall619 – 2017-03-11T18:53:13.5331@Beall619 In that case I don't think so. – DavidPostill – 2017-03-11T18:53:45.480
That's awesome. – Beall619 – 2017-03-11T18:55:04.230