Event Details
User Activity->Account Management->Account Changes->Computer Account Changes->Windows 2008->EventID 4741 - A computer account was created.
EventID 4741 - A computer account was created.
Indicates a successful creation of a "New Computer Account" by "Subject" user.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/28/2009 8:29:33 PM
Event ID:      4741
Task Category: Computer Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A computer account was created.

Subject:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-500
	Account Name:		ALebovsky
	Account Domain:		LOGISTICS
	Logon ID:		0x2a88a

New Computer Account:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-1147
	Account Name:		Editor$
	Account Domain:		LOGISTICS

Attributes:
	SAM Account Name:	Editor$
	Display Name:		-
	User Principal Name:	-
	Home Directory:		-
	Home Drive:		-
	Script Path:		-
	Profile Path:		-
	User Workstations:	-
	Password Last Set:	<never>
	Account Expires:		<never>
	Primary Group ID:	515
	AllowedToDelegateTo:	-
	Old UAC Value:		0x0
	New UAC Value:		0x80
	User Account Control:	
		'Workstation Trust Account' - Enabled
	User Parameters:	-
	SID History:		-
	Logon Hours:		<value not set>
	DNS Host Name:		-
	Service Principal Names:	-

Additional Information:
	Privileges		-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Management
Source Microsoft-Windows-Security-Auditing
TaskCategory Computer Account Management
EventId 4741
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Computer Account Created" Computer Account Created
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Subject: Account Domain LOGISTICS
WhereDomain -
Whom Account or user name being managed. New Computer Account: Security ID S-1-5-21-1135140816-2109348461-2107143693-1147
SAM Account Name Attributes: SAM Account Name Editor$
Display Name Attributes: Display Name -
User Principal Name Attributes: User Principal Name -
Home Directory Attributes: Home Directory -
Home Drive Attributes: Home Drive -
Script Path Attributes: Script Path -
Profile Path Attributes: Profile Path -
User Workstations Attributes: User Workstations -
Password Last Set Attributes: Password Last Set <never>
Account Expires Attributes: Account Expires <never>
Primary Group ID Attributes: Primary Group ID 515
Allowed To Delegate To Attributes: AllowedToDelegateTo -
Old value Attributes: Old UAC Value 0x0
New value Attributes: New UAC Value 0x80
User Account Control Attributes: User Account Control
User Parameters Attributes: User Parameters -
SID History Attributes: SID History -
Logon Hours Attributes: Logon Hours <value not set>
DNS Host Name Attributes: DNS Host Name -
Service Principal Names Attributes: Service Principal Names -
Comments
You must be logged in to comment