Windows local account creation date

Each computer name is separated by a comma. The name of a computer is the sAMAccountName property of a user object. This parameter contains the value of userWorkstations attribute of new user object. This parameter contains the value of pwdLastSet attribute of new user object. This parameter contains the value of accountExpires attribute of new user object.

Note Relative identifier RID is a variable length number that is assigned to objects at creation and becomes part of the object's Security Identifier SID that uniquely identifies an account or group within a domain. This parameter contains the value of primaryGroupID attribute of new user object.

If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. This parameter contains the previous value of userAccountControl attribute of user object.

This parameter contains the value of userAccountControl attribute of new user object. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. We'll pretend it doesn't mean anything. This parameter contains the value of sIDHistory attribute of new user object.

The value of logonHours attribute of new user object. Important For this event, also see Appendix A: Security monitoring recommendations for many audit events. Some organizations monitor every event. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Ask Question. Asked 7 years, 9 months ago. Active 4 years, 5 months ago. Viewed 53k times. Improve this question. To add from chat: I can see the user hive in the registry creation date, but that's only based on their first login, not account creation date.

Add a comment. Active Oldest Votes. A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy. Improve this answer. Evan Anderson Evan Anderson k 18 18 gold badges silver badges bronze badges. Would you, perchance, have any linkage I might avail myself of to that end? Damn you markdown! Just the link to the regripper project above. I haven't used it, personally, but it looks reasonably easy to deal with.

It looks like it has been included in Kali Linux now bugs. Apparently there was a book written around these tools. It looks pricey: amazon. We can't always guarantee that the perfect solution to your specific problem will be waiting for you.

If you ask your own question - our Certified Experts will team up with you to help you get the answers you need. Who are the certified experts? How quickly will I get my solution?

We can't guarantee quick solutions - Experts Exchange isn't a help desk. We're a community of IT professionals committed to sharing knowledge. Our experts volunteer their time to help other people in the technology industry learn and succeed. I get information all spread out in the csv and no easy way to get it readable.

I can see the information in the security log, and I can pull all events. However, that too is inconsistent, especially if some rascal like me cleared out the event log a couple of months ago.

But that doesn't really get me what I need either. All I need is the username and the date the account was created. I know it's not that simple although it should be LOL. It's a one time job and I suck at Powershell although, I've learned a lot over the past couple of days. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Collectives on Stack Overflow.

Learn more. Using PowerShell, can I find when a user account was created? Ask Question. Asked 7 years, 3 months ago.