Event Details
User Activity->Account Management->Account Changes->Computer Account Changes->Windows 2000-2003->EventID 645 - Computer Account Created [Win 2003]
EventID 645 - Computer Account Created [Win 2003]
 Sample: 
Event Type:     SuccessAudit
Event Source:   Security
Event Category: Account Management
Event ID:       645
Date:           10/26/2009
Time:           07:31:56
User:           RESEARCH\ALebovsky
Computer:       DC1
Description:    
Computer Account Created:
	New Account Name:	Editor$
	New Domain:	RESEARCH
	New Account ID:	RESEARCH\Editor$
	Caller User Name:	Alebovsky
	Caller Domain:	RESEARCH
	Caller Logon ID:	(0x0,0x59DF36)
	Privileges		-
Attributes:
	Sam Account Name:	Editor$
	Display Name:	-
	User Principal Name:	-
	Home Directory:	-
	Home Drive:	-
	Script Path:	-
	Profile Path:	-
	User Workstations:	-
	Password Last Set:	<never>
	Account Expires:	<never>
	Primary Group ID:	515
	AllowedToDelegateTo:	-
	Old UAC Value:	0x0
	New UAC Value:	0x80
	User Account Control:	
		'Workstation Trust Account' - Enabled
	User Parameters:	-
	Sid History:	-
	Logon Hours:	<value not set>
	DNS Host Name:	-
	Service Principal Names:	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 645
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 1/1/2000
Who Account or user name under which the activity occured. Caller User Name Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Computer Account Created" Computer Account Created
Where The name of the workstation/server where the activity was logged. Computer 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Caller Domain RESEARCH
WhereDomain -
Whom Account or user name being managed. New Account ID RESEARCH\Editor$
Comments
You must be logged in to comment