Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: active directory new create and delete user qu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
active directory new create and delete user query
i want to show active directory created user and show deleted users.
what is the query for searching in ldapsearch ?
install windows infrastructure app,but when i create user in ad the app doesn't show the created user in users -- >new user
and also when i delete user account it doesn't show my deleted user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could it be the Active Directory audit policy needs to be set to log these events?
https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/ConfigureActiveDirectoryauditpolicy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LDAP search can tell you who is in AD and in which groups, but does not tell you when users are added or removed. For that, you need Windows event logs. Install the Splunk Universal Forwarder on your domain controller and enable the WinEventLog:Security input. This will send events to Splunk each time a user is added or deleted (among many other events). You can then create searches to find and display created and deleted users.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you tell me, what did you enable in group policy ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i installed Splunk Universal Forwarder on my domain controller ,but when i create user on ad it doesn't show any log. even in my windows event viewer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@khanlarloo, did you enable WinEventLog:Security input on your DC as suggested by richgalloway? I also have the Splunk App for Windows Infrastructure installed and I am getting those reports. From Active Directory drop-down, go to Users>>User Reports>>Domain Accounts: New, or Domain Accounts: Deleted. Works!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes,i put wineventloglog:security input on my dc, but when i create user it doesn't show any log on my app.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
