Date of Windows User ID creation

Microsoft Windows
Post Reply
User avatar
MigrationUser
Posts: 336
Joined: 2021-Jul-12, 1:37 pm
Contact:

Date of Windows User ID creation

Post by MigrationUser »

10 Nov 2009 15:03
prakash82x

I want to get Date of user ID creation on a local computer.
either via command prompt Vbscript, shell script or whatever.

----------------------------

#2 27 Nov 2009 20:33
prakash82x

Any body Please help..

----------------------------

#3 27 Nov 2009 22:41
bluesxman


All I can think of is looking at the creation date for the user's registry hive (dir /tc "%userprofile%\ntuser.dat") ... but the best that could give you is the date of first logon.

cmd | *sh | ruby | chef

----------------------------

#4 03 Dec 2009 11:10
Gustaaf


Hi prakash82x,

Here is a little something I put together for you.

Thanks to avery_larry for the array variables! oldforum/viewtopic.php?id=887

Code: Select all

@echo off
:: ------------------------
:: Written by Gustaaf
:: Find users first login date onto the current system. I am asuming the current user, but replace %username% with %1 as cmd input
:: 03 Dec 2009
:: ----------------
setlocal enabledelayedexpansion
set idx=0
echo.

cd /d "%userprofile%"
cd..

:: Thanks to avery_larry for the array variables!
:: https://ss64.org/oldforum/viewtopic.php?id=887
:: ----------------------------------------------
for /f "tokens=1,2,3,5" %%a in ('dir ^| find "%username%"') do (
   set /a idx+=1
   set "line!idx!=%%a %%b %%c (%%d)"
)

for /l %%A in (1,1,%idx%) do (
   echo Listing FIRST TIME logon dates for user: %username%
   echo Contents %%A: !line%%A!
   echo.
)
----------------------------

#5 06 Dec 2009 09:45
prakash82x


Thanks for the attention,
But what if an Admin wants to get the date of ID creation and the user has not ever
logged on to the machine.
The scripts or replies are all which either tells Logon date, or Registry hive creation date and in both cases it can only and only happen if user loggs in.

----------------------------

#6 07 Dec 2009 13:18
Gustaaf


Hi,

I am thinking you want to view if a user has made a network connection to a machine without interactively logging on.
The only evidence of this is the event viewer. Usually a user profile will not be created in this case. Except if you do a remote execute of a program with this alternate credentials. In this case, the OS is compelled to create a local profile.

see this link for logon-type codes revealed: https://web.archive.org/web/20100306020 ... Types.html

I have also used a script to monitor the event log for entries and respond to that. Also posted on this forum.

----------------------------

#7 12 Jan 2010 00:18
Drewfus


Maybe this tool might help;

RegTimeStamp

A key like this one is probably constant from the time of account creation;

HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-<S*********-I*********-D*********>-<RID>\Sid

----------------------------

#8 12 Jan 2010 00:38
Simon Sheppard


^ the problem there is the account still has to be logged into at least once, if its never been logged in, there wont be any profile or registry entries.

I suspect the only way to do this is via auditing:

Audit account management – This will audit each event that is related to a user managing an account (user, group, or computer) in the user database on the computer where the auditing is configured. Examples of these events include:

* Creating a user account
* Adding a user to a group
* Renaming a user account
* Changing a password for a user account
https://web.archive.org/web/20100316023 ... iting.html

To be really thorough you also have to keep a long audit history as the account could have been created, then deleted and re-created with the same name.
Post Reply