2

Is there something like an "event" that is fired when a user is created in active directory? An external system automatically creates active directory users and I would like to perform some powershell tasks directly after creation of a new user. When the user logs on, the script should have run already.

Has someone an idea how this could be achieved?

I am running Windows Server 2008 R2.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
Heinrich
  • 900
  • 5
  • 21
  • 35

2 Answers2

3

You have a couple of problems:

  1. I can probably come up with an event to fire on a DC when a users is created but how can you guarantee that users will only be created on 1 DC?
  2. User accounts are users accounts, so how will you determine what acounts are created by this external process and which were created for other reasons (service accounts etc.)?

Your best bet is to have the scripts kicked off by the external system. In the past instead of allowing some external system access to create users I have the external system kick off a script to create users and pass the details as parameters.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • Agreed. While it's technically possible to monitor the events on all DCs, as well as weeding out service accounts by other means (OU, naming convention, etc) there will always be exceptions. You should just work with whoever is creating the accounts in the first place to append your job to the end of their job, which I assume is also automated. – MDMarra Jan 16 '12 at 20:21
  • Thanks, thats definately a good point. But still, how would I fire a script when a user account is created? – Heinrich Jan 16 '12 at 20:30
  • you could easily use either event logs or DS auditing to kick off the script off of the event. I have to stress again that this has great potential to make for a reason to begin a new career in food service. There are far too many ways for this to go horribly wrong (and it depends on what you are trying to script on how spectacular the failure) – Jim B Jan 17 '12 at 00:30
3

Yes. These are event IDs 4722,4738,etc. in your Security event log. The event text will contain the string "A user account was enabled." or "A user account was changed," respectively. The event for "A user account was created" is event 4720.

And it is true that not every domain controller will log all the user creation events if the user is created on a different DC. If that's a concern for you, consider a more thorough approach to AD event auditing as detailed here:

http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx

After that, it would be a simple matter of using Powershell Cmdlets such as Get-Eventlog to find these events and do things based on them.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199