ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Active Directory management console showing computer account administration and security event monitoring
Event ID 4744InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4744 – Microsoft-Windows-Security-Auditing: Computer Account Created

Event ID 4744 logs when a computer account is created in Active Directory. This security audit event tracks domain computer additions for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4744Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4744 represents a fundamental security audit event in Windows Active Directory environments. When this event fires, it indicates that a new computer account has been successfully created in the domain, either through administrative tools, automated processes, or domain join operations.

The event contains structured data including the Subject fields (who performed the action), New Computer Account fields (details about the created account), and Additional Information such as the source workstation and privileges used. The Subject Security ID typically shows the user or service account that initiated the computer account creation, while the Computer Account Name field displays the NetBIOS name of the newly created computer object.

This event plays a crucial role in security monitoring because unauthorized computer account creation can indicate several security concerns: rogue devices attempting to join the domain, compromised administrative credentials being used to establish persistence, or policy violations where users create computer accounts without proper authorization. Security teams often correlate this event with network access logs and authentication events to build comprehensive security timelines.

The event also supports compliance frameworks like SOX, HIPAA, and PCI-DSS that require detailed audit trails of system changes. Organizations frequently use SIEM solutions to collect and analyze these events across multiple domain controllers to maintain centralized visibility of computer account management activities.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Administrator manually creating a computer account using Active Directory Users and Computers
  • Automated scripts or PowerShell commands creating computer accounts via Active Directory cmdlets
  • Domain join operations where the joining computer creates its own account (if permitted)
  • System Center Configuration Manager or other management tools provisioning computer accounts
  • Exchange Server creating computer accounts for certain roles or services
  • Third-party applications with delegated permissions creating computer accounts
  • Group Policy Preferences or startup scripts creating computer accounts
  • Migration tools transferring computer accounts from other domains
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand the context of the computer account creation.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4744 using Filter Current Log
  4. Double-click the event to view detailed information
  5. Review the Subject section to identify who created the account:
    • Security ID: The SID of the account that performed the action
    • Account Name: The username that created the computer account
    • Account Domain: The domain of the creating account
    • Logon ID: Session identifier for correlation with other events
  6. Examine the New Computer Account section:
    • Security ID: The SID assigned to the new computer account
    • Account Name: The NetBIOS name of the computer
    • Account Domain: The domain where the account was created
  7. Check Additional Information for privileges used and source workstation
Pro tip: Cross-reference the Logon ID with Event ID 4624 (successful logon) to trace the complete authentication chain.
02

Query Events with PowerShell

Use PowerShell to efficiently search and analyze computer account creation events across multiple domain controllers.

  1. Open PowerShell as Administrator on a domain controller or management workstation
  2. Query recent computer account creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4744} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Extract specific details from the events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4744} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $SubjectUserName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $TargetUserName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    $WorkstationName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'WorkstationName'} | Select-Object -ExpandProperty '#text'
    
    Write-Output "Time: $($Event.TimeCreated) | Creator: $SubjectUserName | Computer: $TargetUserName | Workstation: $WorkstationName"
}
  4. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4744; StartTime=$StartTime; EndTime=$EndTime}
  5. Query multiple domain controllers simultaneously:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Invoke-Command -ComputerName $DC.Name -ScriptBlock {
        Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4744} -MaxEvents 10 -ErrorAction SilentlyContinue
    }
}
Warning: Querying large Security logs can impact domain controller performance. Use time filters and limit results appropriately.
03

Investigate Unauthorized Computer Account Creation

When Event ID 4744 appears unexpectedly, follow these steps to investigate potential security incidents.

  1. Identify the source of the computer account creation by examining the Subject fields in the event
  2. Verify if the creating user has legitimate permissions:
    Get-ADUser -Identity "SuspiciousUser" -Properties MemberOf | Select-Object -ExpandProperty MemberOf
  3. Check the computer account details in Active Directory:
    Get-ADComputer -Identity "NewComputerName" -Properties Created, CreatedBy, LastLogonDate, OperatingSystem
  4. Review related authentication events around the same time:
    $TimeWindow = (Get-Date $Event.TimeCreated).AddMinutes(-30)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$TimeWindow; EndTime=(Get-Date $Event.TimeCreated).AddMinutes(30)} | Where-Object {$_.Message -like "*$SubjectUserName*"}
  5. Examine the source workstation mentioned in the event:
    • Verify if the workstation is a known administrative machine
    • Check for signs of compromise on the source system
    • Review network access logs for unusual activity
  6. Correlate with other security events:
    # Look for privilege escalation events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Where-Object {$_.TimeCreated -gt $TimeWindow -and $_.Message -like "*$SubjectUserName*"}
  7. If unauthorized, immediately disable the computer account:
    Disable-ADAccount -Identity "SuspiciousComputerName"
Pro tip: Enable Advanced Audit Policy for Account Management to capture more detailed information about computer account operations.
04

Configure Advanced Monitoring and Alerting

Set up proactive monitoring to detect and alert on computer account creation events in real-time.

  1. Configure Advanced Audit Policy on all domain controllers:
    # Enable computer account management auditing
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
  2. Verify the audit policy is applied:
    auditpol /get /subcategory:"Computer Account Management"
  3. Create a custom Event Viewer filter for monitoring:
    • Open Event ViewerCustom Views
    • Right-click and select Create Custom View
    • Set Event Level to Information
    • Enter Event ID: 4744
    • Select Security log
    • Save as "Computer Account Creation Monitor"
  4. Set up PowerShell-based alerting script:
    # Save as Monitor-ComputerAccountCreation.ps1
$Action = {
    $Event = $Event.SourceEventArgs.NewEvent
    $XML = [xml]$Event.ToXml()
    $ComputerName = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
    $Creator = $XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    
    # Send email alert or log to SIEM
    Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1001 -Message "New computer account created: $ComputerName by $Creator"
}

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4744" -Action $Action
  5. Configure Windows Event Forwarding (WEF) for centralized collection:
    • Create a custom subscription on the collector server
    • Configure source computers to forward Security events
    • Filter for Event ID 4744 in the subscription
  6. Integrate with SIEM solutions by configuring log forwarding to your security platform
Pro tip: Use Group Policy to deploy audit settings consistently across all domain controllers in your environment.
05

Forensic Analysis and Compliance Reporting

Perform comprehensive analysis of computer account creation patterns for security investigations and compliance requirements.

  1. Export computer account creation events for analysis:
    # Export last 30 days of events to CSV
$StartDate = (Get-Date).AddDays(-30)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4744; StartTime=$StartDate}
$Results = @()

foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $Results += [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        Creator = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        CreatorDomain = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        ComputerName = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        ComputerSID = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetSid'}).'#text'
        Workstation = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
        LogonId = ($XML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'}).'#text'
    }
}

$Results | Export-Csv -Path "C:\Temp\ComputerAccountCreation.csv" -NoTypeInformation
  2. Analyze patterns and anomalies:
    # Group by creator to identify bulk operations
$Results | Group-Object Creator | Sort-Object Count -Descending | Select-Object Name, Count

# Identify after-hours creations
$Results | Where-Object {$_.TimeCreated.Hour -lt 8 -or $_.TimeCreated.Hour -gt 18} | Format-Table

# Find weekend activity
$Results | Where-Object {$_.TimeCreated.DayOfWeek -eq 'Saturday' -or $_.TimeCreated.DayOfWeek -eq 'Sunday'}
  3. Cross-reference with Active Directory to verify current status:
    foreach ($Computer in $Results.ComputerName) {
    try {
        $ADComputer = Get-ADComputer -Identity $Computer -Properties LastLogonDate, Enabled
        Write-Output "$Computer - Enabled: $($ADComputer.Enabled) - Last Logon: $($ADComputer.LastLogonDate)"
    } catch {
        Write-Output "$Computer - Not found in AD (possibly deleted)"
    }
}
  4. Generate compliance reports:
    # Create monthly summary report
$MonthlyReport = $Results | Group-Object {$_.TimeCreated.ToString("yyyy-MM")} | ForEach-Object {
    [PSCustomObject]@{
        Month = $_.Name
        TotalCreations = $_.Count
        UniqueCreators = ($_.Group.Creator | Sort-Object -Unique).Count
        AfterHours = ($_.Group | Where-Object {$_.TimeCreated.Hour -lt 8 -or $_.TimeCreated.Hour -gt 18}).Count
    }
}

$MonthlyReport | Format-Table -AutoSize
  5. Document findings for audit purposes:
    • Create executive summary of computer account creation trends
    • Identify any policy violations or security concerns
    • Recommend improvements to access controls or monitoring
    • Archive evidence files with proper chain of custody
Warning: Ensure proper data retention policies are followed when collecting and storing audit logs for compliance purposes.

Overview

Event ID 4744 fires whenever a computer account is created in Active Directory. This security audit event appears in the Security log on domain controllers and provides detailed information about who created the computer account, when it was created, and from which workstation the operation was performed.

This event is part of Windows Advanced Audit Policy Configuration under Account Management auditing. Domain administrators typically monitor this event to track unauthorized computer additions, maintain inventory compliance, and investigate security incidents involving rogue devices joining the domain.

The event captures critical details including the subject who performed the action, the target computer account name, security identifiers, and the source workstation. This information proves invaluable for forensic analysis and compliance reporting in enterprise environments.

Event 4744 complements other computer account events like 4741 (computer account changed) and 4743 (computer account deleted), forming a complete audit trail of computer object lifecycle management in Active Directory.

Frequently Asked Questions

What does Event ID 4744 mean and when does it occur?+
Event ID 4744 indicates that a computer account has been created in Active Directory. This event fires whenever a new computer object is added to the domain, whether through administrative tools like Active Directory Users and Computers, PowerShell commands, automated scripts, or during domain join operations. The event captures detailed information about who created the account, when it was created, and from which workstation the operation was performed. This is a normal informational event that occurs during legitimate computer provisioning activities, but it should be monitored for unauthorized or suspicious computer account additions.
How can I tell if a computer account creation was authorized or malicious?+
To determine if a computer account creation was authorized, examine several key factors from Event ID 4744: First, verify the Subject fields to identify who created the account and confirm they have legitimate permissions for computer account management. Check if the creation occurred during business hours from a known administrative workstation. Cross-reference the event with change management records or IT provisioning requests. Look for patterns like multiple computer accounts created in rapid succession, creations from unusual workstations, or accounts created by users who shouldn't have these privileges. Additionally, verify if the computer account is actually being used by checking its last logon date and whether it has joined the domain successfully.
Which users can create computer accounts and trigger Event ID 4744?+
By default, several groups can create computer accounts and trigger Event ID 4744: Domain Admins and Enterprise Admins have full permissions, Account Operators can create computer accounts, and authenticated users have the 'Add workstations to domain' right (limited to 10 by default). Additionally, users or groups can be explicitly delegated the 'Create Computer objects' permission in Active Directory. Service accounts used by management tools like SCCM, automated deployment systems, or Exchange Server may also have these permissions. To review who can create computer accounts, check the 'ms-DS-MachineAccountQuota' attribute and examine delegated permissions in Active Directory Users and Computers under the Advanced Security settings for the Computers container.
How do I configure auditing to ensure Event ID 4744 is logged?+
To ensure Event ID 4744 is logged, you must enable Advanced Audit Policy Configuration for Account Management on your domain controllers. Use the command 'auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable' to enable both successful and failed computer account operations. Alternatively, configure this through Group Policy under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management → Audit Computer Account Management. Set it to 'Success and Failure' to capture all computer account activities. Verify the setting is applied using 'auditpol /get /subcategory:"Computer Account Management"'. This audit policy should be deployed to all domain controllers in your environment for comprehensive coverage.
Can Event ID 4744 help with compliance and security monitoring?+
Yes, Event ID 4744 is crucial for compliance and security monitoring in enterprise environments. It provides an audit trail required by frameworks like SOX, HIPAA, PCI-DSS, and ISO 27001 that mandate tracking of system changes and access control modifications. Security teams use this event to detect unauthorized device additions, monitor for privilege abuse, and investigate potential security incidents involving rogue computers joining the domain. The event data can be forwarded to SIEM solutions for correlation with other security events, automated alerting on suspicious patterns, and compliance reporting. Organizations often create dashboards showing computer account creation trends, after-hours activity, and bulk operations to maintain visibility into their Active Directory environment and ensure only authorized systems are joining their domain.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4744 and related computer account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including Account Management subcategories that control Event ID 4744 logging.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4744#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...