[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 500
  • Last Modified:

Windows 2003 active directory computer creation - who done it?

A unusual computer account has appeared in our midst and I am trying to query AD to determine which credentials it was entered when it was created.   I was able to determine a time stamp but no account info.  DOes anyone know how to determine this or what dsquery would get me there.....  
1 Solution
Winternals Administrator's Pak has a tool called AD Explorer which would be able to tell you just about anything you might want to know about any item in AD...
You can find about it. It you have enabled the Auditing for user account management.

If its not been created long time back and you have security events for the domain controller.

Try and locate event 624. It will show you you has created the account.
wpstechAuthor Commented:
Auditing was not on - I have tried several query tools did not find any of this info.....do you know what property this would be called?

I will try the winternals product and get back to you.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

You can enable auditing from Group Policy.

Default Domain Policy  -> computer configuration->Windows Settings->Local Policies->Auditing.

Enable auditing for account management. Select Success and failure.

You can find name of the creator only if auditing is enabled.

Whenever an userId is created in AD, a security event 624 is generated. This contains the account created and the persons userid who had created the account.
Which log in Eventvwr does it generate the 624 message?

I have auditing enable (succes/failure) for account management but I'm having trouble finding ANY 624 messages.
I believe it's in System.
Found a better way using ADUC though. Only one drawback though.
When you discover the Computer account in AD, the security tab screen allows you to view a number of user\group accounts with rights to the computer. There is usually an account though that is a regular flesh and blood user with a limited security to the account. This is the one which has added the computer to the domain. Of course the drawback is that if a Domain Admin adds the computer or a member of Account Operators, there will be no individual record.

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now