General discussion

Locked

Event Log for Computer added to domain

By peter_maryan ·
Hello,

Logged into our AD server this morning to find out that someone at some point added a computer named "dumbass" to our domain.

Where in the log files would this information be kept, as to who autorized it and from what IP it was added.

Thanks!

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Event Log for Computer ad ...

The record of who added the system to the domain would be on the domain controller they authenticated against. This event may or may not be in the security log depending on what you are or are not auditing.

So did you take a default install of Active Directory or did you configure auditing? You will be lookin for an Event ID 645 for computer account creation, 646 for a change and 647 for a deletion.

You can learn more about configuring auditing here:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx

Unless you have locked the network down, Authenticated Users can add up to 10 computers to a network. You can lock that down by following the steps in this article:

http://www.windowsitpro.com/ActiveDirectory/Article/ArticleID/24672/ActiveDirectory_24672.html

Microsoft has security guidance published for both Windows 2000 and Windows 2003 server:

Windows 2000:
http://www.microsoft.com/downloads/details.aspx?FamilyId=9964CF42-E236-4D73-AEF4-7B4FDC0A25F6&displaylang=en

Windows 2003:
http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en

Windows XP:
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspx

National Security Agency (aka Spooks R' Us) Note that this one covers several OSes:

http://www.nsa.gov/snac/downloads_all.cfm

Collapse -

by peter_maryan In reply to

Poster rated this answer.

Collapse -

by peter_maryan In reply to Event Log for Computer ad ...

This question was closed by the author

Back to Security Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums