How to audit who adds computers to domain

A

Allen Ferdinand

I have a win2k AD network with 7 sites. In one site, I keep finding
that someone is adding computers to the domain. Is there an easy way
to find out who is adding computers? All of my people have sworn that
it isn't them. I've changed all admin passwords and checked security
in the computers folder so that this shouldn't be happening. Is there
a log entry that I can enable to track this?

thanks much,
Allen
 
N

none

I would start with the computer that was added and look in the event viewer
to see who was logged into it when it was added. It does not necessarily
have to be a admin account. A standard user can add a computer if they have
been given that particular right.

Look at the event viewer on all the DCs (all, not just the one in that
location)
use group policy to enable auditing on all DCs.

if it is not the firms computer that is being added to the domain then you
have bigger problems. Someone bringing in an outside computer can cause an
incredible amount of damage because you have no idea if it is infected or
not.

well, either someone is lying or you missed an admin account.

I would make the statement "tell me now and there will be no repercussions,
If I find out on my own who it is you will be terminated". Of course you
have to be able to back that up. Seeing that an infected computer could hose
your entire firm I would say it is a very serious offense.
 
O

Oli Restorick [MVP]

Remember, domain users by default can add up to 10 computers to the domain
in Windows 2000 and above. If this default has been left, it could be
anyone.

This option is controlled by the "add workstations to the domain" right,
which under NT4 was the rigt you had to have to add computer accounts.
Under Windows 2000 and above, this option is limited to 10 accounts and
permissions on the OU or container controll who can add computer accounts.

Oli
 
S

Steven L Umbach

Enable auditing of acount managment events in your Domain Controller
Security Policy and then look for event ID 645 in the security logs in Event
Viewer on the domain controllers. You can use the free Event Comb from
Microsoft to do this for multiple computers at a time. You may also want to
make sure that the user right for "add workstations to the domain" is
configured for only domain admins group as by default it is authenicated
users which allows each user to add up to ten workstations by default. That
user right setting ONLY works at the domain controller level. To get some
clues look at the computer account in AD Users and Computers and look at the
security/advanced - owner page and the object page which will tell you what
day and time the account was created. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
 
A

Allen Ferdinand

I found that this morning and removed it. Hyena is good for showing those rights.
 
A

Allen Ferdinand

Thanks guys, I had missed the part about being able to add 10
computers. I found that right and fixed it with Hyena this morning.
I was really looking for which event id to search for. Now i've got
it. Now I just have to wait until Taiwan comes to life so that I can
start browsing their computers.
Again, thanks a lot.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Auditing policy change within the domain...help 1
WinXP computer not authenicating properly on Win2k Domain Controller 7
Adding Computer To AD 1
Problem accessing domain computers from Active Directory Server 1
Client Security using the Domain 2
How my computer can't join the domain 1
User auditing 2
2003 to NT Domain Trust not working. 4

Top