Recently I got a query from a customer that had some auditing checks and wanted to know which user back in time was used to Join the vCenter to Active Directory.
I admit that was unusual request and never think about a possibility that someone will ask me which user did the join, but at least this trigger me to do some investigations and test.
In vCenter 7 this information is stored on the following log file -> /var/log/audit/sso-events/audit_events.log
You can easly retrive the line by connecting via SSH directly to the vCenter with root user, type ‘shell’ to move to the bash and move to the path showed above.
If you need this shell command: grep ‘join AD domain’ audit_events.log could help you find the exact line on the file if present.
On the image below you can see the logs from that file and on the last line of the file the operation of join AD Domain with the exact user I used in brackets and the domain that was joined, in my case it’s a test domain vcplab.local
I hope this was helpful! and if it was let me know on the comments