How to audit who adds computers to domain

  • Thread starter Thread starter Allen Ferdinand
  • Start date Start date
A

Allen Ferdinand

I have a win2k AD network with 7 sites. In one site, I keep finding
that someone is adding computers to the domain. Is there an easy way
to find out who is adding computers? All of my people have sworn that
it isn't them. I've changed all admin passwords and checked security
in the computers folder so that this shouldn't be happening. Is there
a log entry that I can enable to track this?

thanks much,
Allen
 
I would start with the computer that was added and look in the event viewer
to see who was logged into it when it was added. It does not necessarily
have to be a admin account. A standard user can add a computer if they have
been given that particular right.

Look at the event viewer on all the DCs (all, not just the one in that
location)
use group policy to enable auditing on all DCs.

if it is not the firms computer that is being added to the domain then you
have bigger problems. Someone bringing in an outside computer can cause an
incredible amount of damage because you have no idea if it is infected or
not.

well, either someone is lying or you missed an admin account.

I would make the statement "tell me now and there will be no repercussions,
If I find out on my own who it is you will be terminated". Of course you
have to be able to back that up. Seeing that an infected computer could hose
your entire firm I would say it is a very serious offense.
 
Remember, domain users by default can add up to 10 computers to the domain
in Windows 2000 and above. If this default has been left, it could be
anyone.

This option is controlled by the "add workstations to the domain" right,
which under NT4 was the rigt you had to have to add computer accounts.
Under Windows 2000 and above, this option is limited to 10 accounts and
permissions on the OU or container controll who can add computer accounts.

Oli
 
Enable auditing of acount managment events in your Domain Controller
Security Policy and then look for event ID 645 in the security logs in Event
Viewer on the domain controllers. You can use the free Event Comb from
Microsoft to do this for multiple computers at a time. You may also want to
make sure that the user right for "add workstations to the domain" is
configured for only domain admins group as by default it is authenicated
users which allows each user to add up to ten workstations by default. That
user right setting ONLY works at the domain controller level. To get some
clues look at the computer account in AD Users and Computers and look at the
security/advanced - owner page and the object page which will tell you what
day and time the account was created. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
 
I found that this morning and removed it. Hyena is good for showing those rights.
 
Thanks guys, I had missed the part about being able to add 10
computers. I found that right and fixed it with Hyena this morning.
I was really looking for which event id to search for. Now i've got
it. Now I just have to wait until Taiwan comes to life so that I can
start browsing their computers.
Again, thanks a lot.
 
Back
Top