Windows 2003 active directory computer creation - who done it?

Posted on 2006-06-05
Last Modified: 2012-05-05
A unusual computer account has appeared in our midst and I am trying to query AD to determine which credentials it was entered when it was created.   I was able to determine a time stamp but no account info.  DOes anyone know how to determine this or what dsquery would get me there.....  
Question by:wpstech
    LVL 7

    Expert Comment

    Winternals Administrator's Pak has a tool called AD Explorer which would be able to tell you just about anything you might want to know about any item in AD...
    LVL 13

    Expert Comment

    You can find about it. It you have enabled the Auditing for user account management.

    If its not been created long time back and you have security events for the domain controller.

    Try and locate event 624. It will show you you has created the account.

    Author Comment

    Auditing was not on - I have tried several query tools did not find any of this you know what property this would be called?

    I will try the winternals product and get back to you.
    LVL 13

    Accepted Solution

    You can enable auditing from Group Policy.

    Default Domain Policy  -> computer configuration->Windows Settings->Local Policies->Auditing.

    Enable auditing for account management. Select Success and failure.

    You can find name of the creator only if auditing is enabled.

    Whenever an userId is created in AD, a security event 624 is generated. This contains the account created and the persons userid who had created the account.

    Expert Comment

    Which log in Eventvwr does it generate the 624 message?

    I have auditing enable (succes/failure) for account management but I'm having trouble finding ANY 624 messages.
    LVL 7

    Expert Comment

    I believe it's in System.
    Found a better way using ADUC though. Only one drawback though.
    When you discover the Computer account in AD, the security tab screen allows you to view a number of user\group accounts with rights to the computer. There is usually an account though that is a regular flesh and blood user with a limited security to the account. This is the one which has added the computer to the domain. Of course the drawback is that if a Domain Admin adds the computer or a member of Account Operators, there will be no individual record.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Give your grad a cloud of their own!

    With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now