Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 646 Source: Security

computer Account Changed: -
Target Account Name: <computer name>$
Target Domain: <domain name>
Target Account ID: <domain name>\<computer name>$
Caller User Name: <user name>$
Caller Domain: <domain name>
Caller Logon ID: (0x0,0x3E7)
The previous comment is not entirely correct, at least not on a Windows 2003 Domain. Event 646 is not an indication that a computer joined a domain. In this case, an indication could rather be event 645: Computer account created. It is true that 646 is also logged in this case. In fact, it is logged twice, once for enabling the account and once for resetting the account, but it can be logged in the same way, without a computer joining the domain (for example if the administrator manually resets or enables/disables an account).
Therefore, when a computer joins a domain, the following events from the "Account Management" category are logged in the following order:

645: Computer account created.
628: User account password set.
646: Computer account changed, with information on field "Password Last Set" - indicating that the computer account was reset.
646: Computer account changed, with information on field "User Account Control": User account enabled - indicating that the computer account was enabled.
626: User account enabled (it is always logged with 646 when a computer account is enabled/disabled).

Other events logged are from "Directory Service Access" category: two 565 (object open) events and from "Object Access" category: two 562 (handle closed) events.

The 646 event is logged also when a computer account is reset. The "Changed Attributes" set of fields will only have information on the "Password last set" field.

The 646 event is also logged when a computer account is enabled/disabled. In this situations the event will be logged together with 626 event (user account enabled) / 629 (user account disabled). The "User Account Control" filed in event 646 will display information on the action performed:
User Account Control: Account Enabled
User Account Control: Account Disabled.
This event indicates that a computer has joined the domain. The user name used for this operation is indicated in the event.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.