Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 645 - Computer Account Created [Win 2003]
EventID 645 - Computer Account Created [Win 2003]
Indicates a successful creation of a new computer account by "caller user".

This event occurs only on domain controllers.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000

Windows 2008

Event Type:     SuccessAudit
Event Source:   Security
Event Category: Account Management
Event ID:       645
Date:           10/26/2009
Time:           07:31:56
User:           RESEARCH\ALebovsky
Computer:       DC1
Computer Account Created:
	New Account Name:	Editor$
	New Domain:	RESEARCH
	New Account ID:	RESEARCH\Editor$
	Caller User Name:	Alebovsky
	Caller Domain:	RESEARCH
	Caller Logon ID:	(0x0,0x59DF36)
	Privileges		-
	Sam Account Name:	Editor$
	Display Name:	-
	User Principal Name:	-
	Home Directory:	-
	Home Drive:	-
	Script Path:	-
	Profile Path:	-
	User Workstations:	-
	Password Last Set:	<never>
	Account Expires:	<never>
	Primary Group ID:	515
	AllowedToDelegateTo:	-
	Old UAC Value:	0x0
	New UAC Value:	0x80
	User Account Control:	
		'Workstation Trust Account' - Enabled
	User Parameters:	-
	Sid History:	-
	Logon Hours:	<value not set>
	DNS Host Name:	-
	Service Principal Names:	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 645
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Caller User Name Account initiating action InsertionString4 Alebovsky
Caller Domain Domain of the account initiating action InsertionString5 RESEARCH
Caller Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString6 (0x0,0x59DF36)
New Account Name Name of the newly created computer account InsertionString1 Editor$
New Domain Domain name of the newly created account InsertionString2 RESEARCH
New Account ID Name of the newly created account in the following format: New Account Domain\New Account Name InsertionString3 RESEARCH\Editor$
Sam Account Name The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. InsertionString8 Editor$
Display Name This is usually the combination of the users first name, middle initial, and last name. InsertionString9 <value not set>
User Principal Name User name in an e-mail address format. The username is followed by the "@" followed by the name of the domain with which the user is associated. InsertionString10 -
Home Directory The home directory for the account. If Home Drive is set and specifies a drive letter, Home Directory must be a UNC path. Otherwise, Home Directory is a fully qualified local path including the drive letter (e.g. "c:\directory\folder"). InsertionString11 <value not set>
Home Drive Specifies the drive letter to which to map the UNC path specified by Home Directory. InsertionString12 <value not set>
Script Path The path for the user's logon script. InsertionString13 <value not set>
Profile Path The path to the user's profile. InsertionString14 <value not set>
User Workstations Contains the NetBIOS or DNS names of the computers from which the user can log on. InsertionString15 <value not set>
Password Last Set The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). InsertionString16 <never>
Account Expires The date when the account expires. This value represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). InsertionString17 <never>
Primary Group ID Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. InsertionString18 515
AllowedToDelegateTo Contains the list of Service Principal Names (SPN) to which this user (normally service or computer account) can forward credentials on behalf of the client. InsertionString19 -
Old UAC Value Bitwise representation of User Account Control Options check list (old value) InsertionString20 0x0
New UAC Value Bitwise representation of User Account Control Options check list (new value) InsertionString21 0x85
User Account Control Descriptions of set flags that control the behavior of the user account. InsertionString22 Account Disabled 'Password Not Required' - Enabled 'Workstation Trust Account' - Enabled
User Parameters Used to store user data specific to the individual program. InsertionString23 <value changed, but not displayed>
Sid History Contains previous SIDs used for the object if the object was moved from another domain. InsertionString24 -
Logon Hours The hours that the user is allowed to logon to the domain. InsertionString25 <value not set>
DNS Host Name Name of computer as registered in DNS. InsertionString26 -
Service Principal Names List of principal names used for mutual authentication with an instance of a service on this machine. InsertionString27 -
Privileges Contains the list of privileges. The purpose of this field is unknown. In most cases it is empty. InsertionString7 -
You must be logged in to comment