• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 503
  • Last Modified:

Windows 2003 active directory computer creation - who done it?

A unusual computer account has appeared in our midst and I am trying to query AD to determine which credentials it was entered when it was created.   I was able to determine a time stamp but no account info.  DOes anyone know how to determine this or what dsquery would get me there.....  
0
wpstech
Asked:
wpstech
1 Solution
 
iedenCommented:
Winternals Administrator's Pak has a tool called AD Explorer which would be able to tell you just about anything you might want to know about any item in AD...
0
 
prashsaxCommented:
You can find about it. It you have enabled the Auditing for user account management.

If its not been created long time back and you have security events for the domain controller.

Try and locate event 624. It will show you you has created the account.
0
 
wpstechAuthor Commented:
Auditing was not on - I have tried several query tools did not find any of this info.....do you know what property this would be called?

I will try the winternals product and get back to you.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
prashsaxCommented:
You can enable auditing from Group Policy.

Default Domain Policy  -> computer configuration->Windows Settings->Local Policies->Auditing.

Enable auditing for account management. Select Success and failure.

You can find name of the creator only if auditing is enabled.

Whenever an userId is created in AD, a security event 624 is generated. This contains the account created and the persons userid who had created the account.
0
 
jasonbrandt3Commented:
Which log in Eventvwr does it generate the 624 message?

I have auditing enable (succes/failure) for account management but I'm having trouble finding ANY 624 messages.
0
 
iedenCommented:
I believe it's in System.
Found a better way using ADUC though. Only one drawback though.
When you discover the Computer account in AD, the security tab screen allows you to view a number of user\group accounts with rights to the computer. There is usually an account though that is a regular flesh and blood user with a limited security to the account. This is the one which has added the computer to the domain. Of course the drawback is that if a Domain Admin adds the computer or a member of Account Operators, there will be no individual record.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now