Re: How to audit who adds computers to domain

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 05/24/04

• Next message: liz: "2000 prof to xp home"
• Previous message: chris: "Proxy server and XP Pro"
• In reply to: Allen Ferdinand: "How to audit who adds computers to domain"
• Next in thread: Allen Ferdinand: "Re: How to audit who adds computers to domain"
• Reply: Allen Ferdinand: "Re: How to audit who adds computers to domain"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 24 May 2004 00:56:02 GMT

Enable auditing of acount managment events in your Domain Controller
Security Policy and then look for event ID 645 in the security logs in Event
Viewer on the domain controllers. You can use the free Event Comb from
Microsoft to do this for multiple computers at a time. You may also want to
make sure that the user right for "add workstations to the domain" is
configured for only domain admins group as by default it is authenicated
users which allows each user to add up to ten workstations by default. That
user right setting ONLY works at the domain controller level. To get some
clues look at the computer account in AD Users and Computers and look at the
security/advanced - owner page and the object page which will tell you what
day and time the account was created. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

"Allen Ferdinand" <allen.ferdinand@avizatechnology.com> wrote in message
news:725a41b7.0405230912.350cc1d6@posting.google.com...
> I have a win2k AD network with 7 sites. In one site, I keep finding
> that someone is adding computers to the domain. Is there an easy way
> to find out who is adding computers? All of my people have sworn that
> it isn't them. I've changed all admin passwords and checked security
> in the computers folder so that this shouldn't be happening. Is there
> a log entry that I can enable to track this?
>
> thanks much,
> Allen

---

• Next message: liz: "2000 prof to xp home"
• Previous message: chris: "Proxy server and XP Pro"
• In reply to: Allen Ferdinand: "How to audit who adds computers to domain"
• Next in thread: Allen Ferdinand: "Re: How to audit who adds computers to domain"
• Reply: Allen Ferdinand: "Re: How to audit who adds computers to domain"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Site or Domain ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ... (microsoft.public.windows.server.active_directory) Re: SBS 2003 and TS-App Mode ... It's not secure... ... functionality over security and now you want functionality back. ... open and easy to use...they want TS on a domain controller back. ... Do not enable application server mode on a domain controllers. ... (microsoft.public.windows.server.sbs) RE: Share Point? ... make it on a domain controller. ... I'm not sure about sharepoint server, ... Has anyone here tested Share Point's security? ... INCLUSIVE curriculum utilizes lectures, ... (Focus-Microsoft) RE: Security audit & Domain Controller security ... Thank you for posting in SBS newsgroup. ... I understand you can not open the Domain Controller ... Security Policy from Administrator Tools. ... zone file now has the _msdcs zone re-created. ... (microsoft.public.windows.server.sbs) RE: Domain Controller Best Practice - Thanks! ... You may not be sharing your SAM file, but then again you probably don't ... And isn't it just handy that this same system is the Domain Controller. ... Generally speaking and in your defense, you can come up with security ... All user authentication is occurring on this system. ... (Focus-Microsoft)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.networking  > 2004-05