Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Success Audit|
computer Account Changed: -
Target Account Name: <computer name>$
Target Domain: <domain name>
Target Account ID: <domain name>\<computer name>$
Caller User Name: <user name>$
Caller Domain: <domain name>
Caller Logon ID: (0x0,0x3E7)
|English: Request a translation of the event description in plain English.|
The previous comment is not entirely correct, at least not on a Windows 2003 Domain. Event 646 is not an indication that a computer joined a domain. In this case, an indication could rather be event 645: Computer account created. It is true that 646 is also logged in this case. In fact, it is logged twice, once for enabling the account and once for resetting the account, but it can be logged in the same way, without a computer joining the domain (for example if the administrator manually resets or enables/disables an account).
Therefore, when a computer joins a domain, the following events from the "Account Management" category are logged in the following order:
645: Computer account created.
628: User account password set.
646: Computer account changed, with information on field "Password Last Set" - indicating that the computer account was reset.
646: Computer account changed, with information on field "User Account Control": User account enabled - indicating that the computer account was enabled.
626: User account enabled (it is always logged with 646 when a computer account is enabled/disabled).
Other events logged are from "Directory Service Access" category: two 565 (object open) events and from "Object Access" category: two 562 (handle closed) events.
The 646 event is logged also when a computer account is reset. The "Changed Attributes" set of fields will only have information on the "Password last set" field.
The 646 event is also logged when a computer account is enabled/disabled. In this situations the event will be logged together with 626 event (user account enabled) / 629 (user account disabled). The "User Account Control" filed in event 646 will display information on the action performed:
User Account Control: Account Enabled
User Account Control: Account Disabled.
This event indicates that a computer has joined the domain. The user name used for this operation is indicated in the event.
|Private comment: Subscribers only. See example of private comment|
|Links: ME174074, Online Analysis of Security Event Log, EventID 626 from source Security, EventID 628 from source Security, EventID 645 from source Security, EventID 562 from source Security, EventID 565 from source Security|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (2) - More links...|
Send comments or solutions
- Notify me when updated