How to Get the Creation Date of a User Account in Batch Script

Knowing exactly when a user account was created is a valuable piece of forensic data. It helps IT administrators verify an employee's start date, audit the provisioning process, or investigate suspicious accounts (e.g., "Why was a new admin created at 3 AM on Saturday?"). While this timestamp is not shown in the standard net user output, it can be retrieved using WMIC or PowerShell commands within a Batch script.

This guide explains how to extract the account creation date.

Why Check Account Creation Date?

Audit Trails: Verifying that a new hire's account was created within the SLA window (e.g., "Review ticket #1234").
Security Incident Response: Identifying if a compromised account was created days or months before a breach occurred.
Cleanup Automation: Identifying accounts older than 5 years as candidates for review or deletion.

WMI vs. AD

The method below uses WMI (Windows Management Instrumentation) to query the local account database. To query the creation date of a domain user, you must use the dsquery or Get-ADUser commands.

Method 1: Using WMIC (Local Accounts)

The net user command does not show creation time. We can query the Win32_UserAccount class in WMI, though note that the InstallDate property is often not populated for local accounts.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are recommended for WMI queries.
    pause
    exit /b 1
)

set /p "USN=Enter local username: "

if "%USN%"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

echo [PROCESS] Retrieving account information for: "%USN%"...
echo.

:: Check if the account exists
wmic useraccount where name='%USN%' get name >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Local account "%USN%" not found.
    pause
    exit /b 1
)

:: The 'InstallDate' property holds the creation time (when available)
echo [INFO] WMI InstallDate:
wmic useraccount where name='%USN%' get name, InstallDate 2>nul
echo.
echo [NOTE] If InstallDate is empty, use the Event Log method:
echo        wevtutil qe Security /q:"*[System[EventID=4720]]" /c:5 /f:text
echo        This shows the 5 most recent "Account Created" events.
pause

Method 2: Using PowerShell for Domain Users

For Active Directory users, the creation date is stored in the whenCreated attribute. PowerShell provides the cleanest access to this data.

@echo off
setlocal

set /p "TARGET=Enter domain username: "

if "%TARGET%"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

echo [PROCESS] Checking domain creation date for "%TARGET%"...
echo.

powershell -NoProfile -Command ^
    "try {" ^
    "  $user = Get-ADUser -Identity '%TARGET%' -Properties Created, WhenCreated;" ^
    "  Write-Host ('Account:     ' + $user.Name);" ^
    "  Write-Host ('Created:     ' + $user.WhenCreated);" ^
    "  $age = [math]::Round(((Get-Date) - $user.WhenCreated).TotalDays);" ^
    "  Write-Host ('Account Age: ' + $age + ' days')" ^
    "} catch {" ^
    "  Write-Host '[ERROR] User not found or AD module not available.';" ^
    "  Write-Host '[HELP] Ensure RSAT Active Directory module is installed.';" ^
    "  exit 1" ^
    "}" 2>nul

pause

Creating an Account Age Auditor

This professional script tries multiple methods to find the creation date and provides comprehensive results.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   User Account Age Diagnostic
echo ============================================================

set /p "USN=Enter Username: "

if "!USN!"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: 1. Try PowerShell AD query first (most reliable for domain users)
echo.
echo [METHOD 1] Active Directory Query:
powershell -NoProfile -Command ^
    "try {" ^
    "  $user = Get-ADUser -Identity '!USN!' -Properties WhenCreated -ErrorAction Stop;" ^
    "  $age = [math]::Round(((Get-Date) - $user.WhenCreated).TotalDays);" ^
    "  Write-Host ('  Created:     ' + $user.WhenCreated.ToString('yyyy-MM-dd HH:mm:ss'));" ^
    "  Write-Host ('  Account Age: ' + $age + ' days');" ^
    "  if ($age -gt 1825) { Write-Host '  [WARNING] Account is over 5 years old. Review recommended.' }" ^
    "} catch {" ^
    "  Write-Host '  [INFO] Not found in AD (local account or module not available).'" ^
    "}" 2>nul

:: 2. Try WMI for local accounts
echo.
echo [METHOD 2] Local WMI Query:
set "INSTALL_DATE="
for /f "skip=1 tokens=1" %%a in ('wmic useraccount where name^='!USN!' get InstallDate 2^>nul') do (
    for /f "tokens=1" %%b in ("%%a") do if not "%%b"=="" set "INSTALL_DATE=%%b"
)

if defined INSTALL_DATE (
    if "!INSTALL_DATE!"==" " (
        echo   [INFO] InstallDate is empty for this account.
    ) else (
        :: Parse WMI date format (YYYYMMDDHHMMSS.ffffff+zzz)
        set "YYYY=!INSTALL_DATE:~0,4!"
        set "MM=!INSTALL_DATE:~4,2!"
        set "DD=!INSTALL_DATE:~6,2!"
        set "HH=!INSTALL_DATE:~8,2!"
        set "MN=!INSTALL_DATE:~10,2!"
        echo   Created: !YYYY!-!MM!-!DD! !HH!:!MN! (UTC^)
    )
) else (
    echo   [INFO] Account not found in local WMI database.
)

:: 3. Suggest Event Log as fallback
echo.
echo [METHOD 3] Event Log (Event ID 4720^):
echo   To find when this account was created via the Security log:
echo   wevtutil qe Security /q:"*[System[EventID=4720]]" /c:10 /f:text ^| findstr /i "!USN!"

echo.
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

"InstallDate" is Often Empty

For many local accounts, including built-in accounts (Administrator, Guest) and accounts on older Windows versions, the WMI InstallDate property is null. This is a known limitation of the Win32_UserAccount class.

Solution: Use the Windows Security Event Log (Event ID 4720 - "A user account was created") as the most reliable source for local account creation timestamps. Use wevtutil or PowerShell to query these events.

Time Zone Confusion

WMI timestamps are in UTC. AD whenCreated is also UTC.

SEO and UX Tip

Advise your users that if they need the exact local time, they should use PowerShell: Get-ADUser USERNAME -Properties Created | Select-Object Name, Created. The Created property is automatically converted to local time.

Best Practices for Identity Auditing

Log Changes: Use a script targeting the Event Log (Event ID 4720 "A user account was created") for real-time alerting rather than querying after the fact.
Compare to HR Data: Cross-reference the AD creation date with the employee's official start date in the HR system to ensure timely provisioning.
Monitor Admin Accounts: Set up a daily report that lists any account created in the last 24 hours, especially in privileged groups.

Recreated Accounts

If you delete a user and recreate them with the same name, the new account will have a new creation date and a new SID. The old creation date is lost forever.

Conclusion

Getting the creation date of a user account via Batch script is a critical capability for any forensic or audit-focused IT administrator. By leveraging WMI, PowerShell, and Event Log queries to extract these timestamps, you can build a complete timeline of your user identities, verifying compliance and investigating security anomalies with precision. This professional approach to system identification ensures that your user lifecycle management is transparent, accountable, and aligned with your organization's security policies.

Why Check Account Creation Date?​

Method 1: Using WMIC (Local Accounts)​

Method 2: Using PowerShell for Domain Users​

Creating an Account Age Auditor​

Common Pitfalls and How to Avoid Them​

"InstallDate" is Often Empty​

Time Zone Confusion​

Best Practices for Identity Auditing​

Conclusion​

Table of Contents