ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows domain controller displaying Active Directory computer accounts management console
Event ID 4741InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4741 – Microsoft-Windows-Security-Auditing: Computer Account Created

Event ID 4741 logs when a computer account is created in Active Directory. This security audit event tracks domain join operations and computer object creation for compliance monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4741Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4741 represents a fundamental security audit event in Windows Active Directory environments. When a computer account is created in the domain, whether through automated domain join processes or manual administrative actions, this event captures the complete audit trail including timestamps, account details, and the security context of the creation operation.

The event structure includes several critical fields: the newly created computer account name, its security identifier (SID), the domain name, and most importantly, the subject information showing who or what process initiated the account creation. This subject data includes the logon ID, account name, and domain of the entity responsible for the action, providing complete accountability for computer account management operations.

From a security perspective, Event ID 4741 serves multiple purposes. It enables administrators to track legitimate domain join operations, verify that only authorized personnel are adding systems to the domain, and detect potential security incidents where attackers might attempt to create computer accounts for persistence or lateral movement. The event also supports compliance requirements in regulated environments where computer asset tracking and change management documentation are mandatory.

The event timing is crucial for incident response scenarios. Since computer accounts are often created during initial system deployment or when rebuilding compromised systems, correlating Event ID 4741 with other security events can reveal attack timelines and help identify the scope of security incidents involving unauthorized system access or deployment.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Analysis

Possible Causes

  • Domain join operations when workstations or servers are added to the Active Directory domain
  • Manual computer account creation through Active Directory Users and Computers console
  • PowerShell cmdlets like New-ADComputer being executed by administrators
  • Automated provisioning scripts or deployment tools creating computer objects
  • System Center Configuration Manager or similar management tools adding computer accounts
  • Exchange Server installation creating computer accounts for Exchange servers
  • Cluster service creating virtual computer objects for failover clusters
  • Third-party domain management tools or APIs creating computer accounts programmatically
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the context of the computer account creation.

  1. Open Event Viewer on the domain controller where the event was logged
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4741 using the filter option or search functionality
  4. Double-click the event to view detailed information including:
    • Subject: Shows who created the account (Account Name, Account Domain, Logon ID)
    • New Computer Account: Displays the created account name and SID
    • Attributes: Lists the computer account properties set during creation
  5. Note the timestamp to correlate with other domain join activities or administrative actions
  6. Check if the creating user account has appropriate permissions for computer account creation
Pro tip: Look for patterns in computer account creation times and naming conventions to identify automated deployment processes versus manual administrative actions.
02

Query Events with PowerShell for Analysis

Use PowerShell to efficiently query and analyze computer account creation events across multiple domain controllers.

  1. Open PowerShell as Administrator on a domain controller or system with RSAT installed
  2. Query recent computer account creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract specific details from the event data:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741} -MaxEvents 20 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ComputerAccount = $Event.Event.EventData.Data[0].'#text'
        CreatedBy = $Event.Event.EventData.Data[4].'#text'
        Domain = $Event.Event.EventData.Data[5].'#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741} | Export-Csv -Path "C:\Temp\ComputerAccountCreation.csv" -NoTypeInformation
Warning: Large domains may generate thousands of these events. Use appropriate time filters and MaxEvents parameters to avoid performance issues.
03

Correlate with Domain Join Events

Cross-reference Event ID 4741 with related domain join events to get the complete picture of system additions to the domain.

  1. Query for related domain join events on the same domain controller:
    $ComputerName = "WORKSTATION01"
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=@(4741,4742,4743)} | Where-Object {$_.Message -like "*$ComputerName*"}
  2. Check System log for corresponding Netlogon events:
    Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Netlogon'} -MaxEvents 100 | Where-Object {$_.Message -like "*$ComputerName*"}
  3. Review Directory Service log for additional context:
    Get-WinEvent -FilterHashtable @{LogName='Directory Service'} -MaxEvents 50 | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1)}
  4. Examine DNS registration events that typically follow domain joins:
    Get-WinEvent -FilterHashtable @{LogName='DNS Server'; ID=@(2,6527,6528)} | Where-Object {$_.Message -like "*$ComputerName*"}
  5. Create a timeline of related events:
    $Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741} -MaxEvents 10
$Events += Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Netlogon'} -MaxEvents 10
$Events | Sort-Object TimeCreated | Select-Object TimeCreated, LogName, Id, Message
04

Investigate Unauthorized Computer Account Creation

When Event ID 4741 appears unexpectedly, investigate potential security implications and unauthorized account creation.

  1. Identify the user account that created the computer account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741} -MaxEvents 20 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $CreatedBy = $Event.Event.EventData.Data[4].'#text'
    $ComputerAccount = $Event.Event.EventData.Data[0].'#text'
    Write-Output "Computer: $ComputerAccount created by: $CreatedBy at $($_.TimeCreated)"
}
  2. Verify the creating user's permissions in Active Directory:
    Import-Module ActiveDirectory
$UserAccount = "DOMAIN\username"
Get-ADUser -Identity $UserAccount -Properties MemberOf | Select-Object Name, MemberOf
  3. Check if the computer account still exists and its current status:
    $ComputerName = "SUSPICIOUS-PC"
Get-ADComputer -Identity $ComputerName -Properties Created, LastLogonDate, OperatingSystem
  4. Review recent logon events for the creating user account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=@(4624,4625)} | Where-Object {$_.Message -like "*username*"} | Select-Object TimeCreated, Id, Message
  5. Examine Group Policy and delegation settings:
    Get-ADOrganizationalUnit -Filter * -Properties gPLink | Where-Object {$_.gPLink -ne $null} | Select-Object Name, DistinguishedName
  6. If unauthorized creation is confirmed, disable the computer account immediately:
    Disable-ADAccount -Identity "SUSPICIOUS-PC"
Set-ADComputer -Identity "SUSPICIOUS-PC" -Description "Disabled due to unauthorized creation - $(Get-Date)"
Warning: Disabling computer accounts will immediately prevent the associated system from authenticating to the domain. Ensure proper authorization before taking this action.
05

Implement Monitoring and Alerting for Computer Account Creation

Set up proactive monitoring to detect and alert on computer account creation events for security and compliance purposes.

  1. Create a custom Windows Event Forwarding subscription to centralize Event ID 4741:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ComputerAccountCreation</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Monitor computer account creation events</Description>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4741]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  2. Configure a scheduled task to run monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-ComputerAccountCreation.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "09:00AM"
Register-ScheduledTask -TaskName "Monitor Computer Account Creation" -Action $Action -Trigger $Trigger
  3. Create a PowerShell monitoring script that checks for new events:
    # Monitor-ComputerAccountCreation.ps1
$LastCheck = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4741; StartTime=$LastCheck}

foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $ComputerAccount = $EventXML.Event.EventData.Data[0].'#text'
    $CreatedBy = $EventXML.Event.EventData.Data[4].'#text'
    
    # Send alert email or write to monitoring system
    Write-EventLog -LogName Application -Source "ComputerAccountMonitor" -EventId 1001 -Message "Computer account $ComputerAccount created by $CreatedBy"
}
  4. Set up Windows Event Log alerts using Task Scheduler:
    $TaskAction = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command Send-MailMessage -To 'admin@company.com' -From 'alerts@company.com' -Subject 'Computer Account Created' -Body 'Event ID 4741 detected' -SmtpServer 'mail.company.com'"
$TaskTrigger = New-CimInstance -ClassName MSFT_TaskEventTrigger -Namespace Root/Microsoft/Windows/TaskScheduler -ClientOnly
$TaskTrigger.Subscription = '<QueryList><Query Id="0" Path="Security"><Select Path="Security">*[System[EventID=4741]]</Select></Query></QueryList>'
Register-ScheduledTask -TaskName "Alert on Computer Account Creation" -Action $TaskAction -Trigger $TaskTrigger
  5. Configure audit policy to ensure Event ID 4741 is logged:
    auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
Pro tip: Consider implementing threshold-based alerting to avoid notification fatigue in environments with frequent legitimate computer account creation.

Overview

Event ID 4741 fires whenever a computer account is created in Active Directory. This security audit event is part of Windows' comprehensive auditing framework and appears in the Security log on domain controllers. The event captures critical details about computer account creation including the account name, security identifier (SID), and the user or process responsible for the creation.

This event typically occurs during domain join operations when workstations or servers are added to the domain. It also fires when administrators manually create computer objects through Active Directory Users and Computers, PowerShell cmdlets, or automated provisioning scripts. The event is essential for security monitoring as unauthorized computer account creation could indicate privilege escalation attempts or rogue system deployment.

Domain controllers generate this event by default when object access auditing is enabled. The event provides forensic value for tracking when systems joined the domain and identifying who authorized the addition. Security teams rely on Event ID 4741 for compliance reporting and detecting suspicious computer account creation patterns that might indicate lateral movement or unauthorized domain access.

Frequently Asked Questions

What does Event ID 4741 mean and when does it occur?+
Event ID 4741 indicates that a computer account has been created in Active Directory. This event occurs whenever a new computer object is added to the domain, typically during domain join operations when workstations or servers are added to the network. It also fires when administrators manually create computer accounts through management tools or when automated provisioning systems deploy new systems. The event is logged on domain controllers and provides an audit trail of computer account creation activities for security monitoring and compliance purposes.
How can I identify who created a specific computer account using Event ID 4741?+
The Event ID 4741 details include comprehensive subject information showing exactly who created the computer account. In Event Viewer, examine the 'Subject' section which displays the Account Name, Account Domain, and Logon ID of the user or process responsible for the creation. You can also use PowerShell to extract this information programmatically by parsing the event XML data. The event captures both the security context of the creating entity and the details of the newly created computer account, providing complete accountability for the action.
Is Event ID 4741 a security concern that requires immediate attention?+
Event ID 4741 itself is an informational audit event and not inherently a security concern. However, unexpected or unauthorized computer account creation can indicate security issues such as privilege escalation, rogue system deployment, or lateral movement attempts by attackers. The event becomes concerning when it occurs outside of normal business processes, involves unauthorized users, or shows patterns suggesting malicious activity. Regular monitoring of these events helps detect anomalies and ensures only authorized personnel are adding systems to the domain.
Why am I not seeing Event ID 4741 in my Security log?+
Event ID 4741 requires specific audit policy settings to be enabled. If you're not seeing these events, check that 'Audit Computer Account Management' is enabled in your Group Policy or local security policy. Use the command 'auditpol /get /subcategory:"Computer Account Management"' to verify the current setting. The policy should be set to audit both success and failure events. Additionally, ensure you're checking the Security log on domain controllers, as this is where computer account creation events are logged. The audit policy can be configured through Group Policy Management Console under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
How can I correlate Event ID 4741 with actual domain join operations?+
To correlate Event ID 4741 with domain join operations, examine multiple event sources simultaneously. Check the System log for Netlogon events that indicate successful domain authentication, review DNS Server logs for dynamic DNS registration events, and look for corresponding events like 4742 (computer account changed) or 4743 (computer account deleted). The timing correlation is crucial - domain join operations typically generate Event ID 4741 followed by Netlogon authentication events within minutes. You can use PowerShell to create a timeline of related events by querying multiple logs and sorting by timestamp to see the complete sequence of a system joining the domain.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4741 and related computer account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring audit policies for computer account management and other security events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4741#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...