Where do I find event logs for computers being added to or disconnected/deleted from the domain?
I'll list the Event IDs you're concerned with:
- Event ID 4741 - A computer account was created.
- Event ID 4743 - A computer account was deleted.
In order to see these Event IDs in Event Viewer (either logged in directly to your Domain Controller or remotely) you'll need to create a Group Policy Object for your Domain Controller(s):
Computer Configuration
-Policies
-Security Settings
-Advanced Audit Policy Configuration
-Audit Policies
-Account Management
Enable Audit Computer Account Management with at least Success. I have Success and Failure enabled to track both.
Also, here is a nice TechNet Step-by-Step guide on Advanced Audit Policy. https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx
Related videos on Youtube
![How to Set up Windows Event Log Forwarding [Step-by-Step]](https://i.ytimg.com/vi/urRWkyzRI78/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBoCx5v8X3PgWjOZkeWm_rN0OeYwA)
05 : 45
07 : 21
08 : 00
03 : 56
10 : 39
02 : 13
Blufftl
Updated on September 18, 2022Comments
-
Blufftl almost 2 years
Since I activated Directory Services logging I wanted to find the logs concerning computers being added with the domain and being deleted/disconnected from the domain.
I've been looking through our "Directory Service" logs and was not able to find any logs that show information about this.
The "find" function also wasn't able to find any logs when looking for the recently added computer name.
Is there any smarter way to find these logs?