ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Server Active Directory management console showing computer accounts and security event logs
Event ID 4745InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4745 – Microsoft-Windows-Security-Auditing: Computer Account Created

Event ID 4745 logs when a computer account is created in Active Directory. This security audit event tracks domain computer additions for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4745Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4745 is generated by the Microsoft-Windows-Security-Auditing provider when a computer account is successfully created in Active Directory. This event is part of the object access auditing category and requires the "Audit Computer Account Management" policy to be enabled in Group Policy or through Advanced Audit Policy Configuration.

The event contains comprehensive details including the subject who performed the action (user account and logon session), the target computer account being created, and the Active Directory attributes assigned during creation. Key fields include the computer account name, distinguished name (DN), security identifier (SID), and the organizational unit where the account was placed.

This audit event is essential for compliance frameworks like SOX, HIPAA, and PCI-DSS that require detailed logging of directory changes. Security teams use Event 4745 to detect unauthorized computer additions, track legitimate domain expansions, and investigate potential privilege escalation attempts through computer account manipulation.

The event fires on the domain controller that processes the computer account creation request, making it critical to monitor all domain controllers in multi-DC environments. Modern SIEM solutions parse this event to correlate computer account creation with subsequent authentication attempts and policy applications.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Windows 10Windows 11
Analysis

Possible Causes

  • Domain administrator creating computer accounts through Active Directory Users and Computers
  • Automated systems or scripts adding computers to the domain during deployment
  • Computer joining the domain for the first time through System Properties or PowerShell
  • Exchange Server or other applications creating computer accounts for service purposes
  • System Center Configuration Manager (SCCM) creating accounts during operating system deployment
  • Third-party identity management tools provisioning computer accounts
  • PowerShell cmdlets like New-ADComputer being executed
  • LDAP applications programmatically creating computer objects in Active Directory
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand who created the computer account and when.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4745 using the filter option
  4. Double-click the event to view details including:
    • Subject: User account that created the computer
    • Computer Account: Name and SID of the new computer
    • Attributes: DN, SAM account name, and OU placement
  5. Note the timestamp and correlate with any scheduled maintenance or deployment activities
Pro tip: Check the "Logon ID" field to correlate with other security events from the same session.
02

Query Events with PowerShell

Use PowerShell to retrieve and analyze computer account creation events across multiple domain controllers.

  1. Run PowerShell as Administrator on a domain controller or management workstation
  2. Query recent computer account creations:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4745} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='Computer';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'})[1] -replace '.*Account Name:\s*',''}}, @{Name='Creator';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*' -and $_ -like '*Account Name:*'})[0] -replace '.*Account Name:\s*',''}} | Format-Table -AutoSize
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4745; StartTime=$StartTime}
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ComputerName = $EventXML.Event.EventData.Data[5].'#text'
        CreatedBy = $EventXML.Event.EventData.Data[1].'#text'
        OU = $EventXML.Event.EventData.Data[7].'#text'
    }
} | Format-Table -AutoSize
  4. Export results for further analysis:
    $Events | Export-Csv -Path "C:\Temp\ComputerAccountCreation.csv" -NoTypeInformation
03

Verify Audit Policy Configuration

Ensure proper audit policies are configured to capture computer account management events.

  1. Check current audit policy settings:
    auditpol /get /subcategory:"Computer Account Management"
  2. If not enabled, configure the audit policy:
    auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
  3. Verify Group Policy settings in Group Policy Management Console:
  4. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  5. Expand Account Management and check Audit Computer Account Management
  6. Ensure both Success and Failure are configured
  7. Force Group Policy update:
    gpupdate /force
Warning: Enabling extensive auditing can generate large volumes of events. Monitor log sizes and retention policies.
04

Investigate Unauthorized Account Creation

When Event 4745 appears unexpectedly, investigate potential security implications.

  1. Identify the source of the computer account creation:
    $SuspiciousEvent = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4745} -MaxEvents 1
$EventXML = [xml]$SuspiciousEvent.ToXml()
$CreatorSID = $EventXML.Event.EventData.Data[0].'#text'
$ComputerSID = $EventXML.Event.EventData.Data[4].'#text'
  2. Check if the creator account has appropriate permissions:
    Get-ADUser -Identity $CreatorSID -Properties MemberOf | Select-Object Name, MemberOf
  3. Verify the computer account details:
    Get-ADComputer -Identity $ComputerSID -Properties Created, CreatedBy, DistinguishedName
  4. Look for related authentication events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=(Get-Date).AddHours(-2)} | Where-Object {$_.Message -like "*$CreatorSID*"}
  5. Check for subsequent computer account modifications:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4741,4743} | Where-Object {$_.Message -like "*$ComputerSID*"}
  6. Review network logon events from the new computer account
05

Implement Automated Monitoring and Alerting

Set up proactive monitoring for computer account creation events to detect anomalies.

  1. Create a scheduled task to monitor Event 4745:
    $Action = New-ScheduledTaskAction -Execute 'PowerShell.exe' -Argument '-File C:\Scripts\Monitor-ComputerAccounts.ps1'
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "Monitor Computer Account Creation" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  2. Create the monitoring script at C:\Scripts\Monitor-ComputerAccounts.ps1:
    # Monitor-ComputerAccounts.ps1
$LastCheck = (Get-Date).AddMinutes(-15)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4745; StartTime=$LastCheck} -ErrorAction SilentlyContinue

if ($Events) {
    foreach ($Event in $Events) {
        $EventXML = [xml]$Event.ToXml()
        $ComputerName = $EventXML.Event.EventData.Data[5].'#text'
        $Creator = $EventXML.Event.EventData.Data[1].'#text'
        
        # Send alert email or log to SIEM
        Write-EventLog -LogName Application -Source "AD Monitor" -EventId 1001 -Message "Computer account $ComputerName created by $Creator"
    }
}
  3. Configure Windows Event Forwarding to centralize logs:
    wecutil cs C:\Config\ComputerAccountSubscription.xml
  4. Set up SIEM correlation rules to detect patterns like multiple rapid computer account creations or creations outside business hours
  5. Implement threshold-based alerting for unusual volumes of computer account creation events
Pro tip: Integrate with Microsoft Sentinel or other SIEM solutions for advanced threat detection and automated response capabilities.

Overview

Event ID 4745 fires whenever a computer account is created in Active Directory. This security audit event appears in the Security log on domain controllers and provides detailed information about who created the computer account, when it was created, and which organizational unit it was placed in. The event is part of Windows Advanced Audit Policy Configuration under Account Management auditing.

This event is crucial for security monitoring as unauthorized computer account creation can indicate potential security breaches or policy violations. Domain administrators rely on this event to track legitimate computer additions during domain joins, imaging processes, and infrastructure expansions. The event captures the security identifier (SID) of both the creator and the new computer account, along with timestamps and location details within the directory structure.

Event 4745 typically appears alongside Event 4741 (computer account changed) and Event 4743 (computer account deleted) to provide a complete audit trail of computer account lifecycle management in Active Directory environments.

Frequently Asked Questions

What does Event ID 4745 mean and when does it occur?+
Event ID 4745 indicates that a computer account has been created in Active Directory. This event occurs whenever a new computer object is added to the domain, whether through manual creation by administrators, automated deployment processes, or when computers join the domain for the first time. The event is logged on the domain controller that processes the account creation request and provides detailed information about who created the account, when it was created, and where it was placed in the directory structure.
How can I tell who created a computer account from Event 4745?+
Event 4745 contains detailed subject information that identifies who created the computer account. In the event details, look for the 'Subject' section which includes the Account Name, Account Domain, and Logon ID of the user who performed the action. You can also find the Security ID (SID) of the creator. If the creation was performed by a service account or automated process, this will be reflected in the subject information. Cross-reference the Logon ID with other security events to get a complete picture of the session that created the account.
Why am I not seeing Event 4745 in my Security log?+
Event 4745 requires specific audit policies to be enabled. You need to configure 'Audit Computer Account Management' under Advanced Audit Policy Configuration or enable 'Audit account management' in the basic audit policy. Check your Group Policy settings under Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management. Ensure both Success and Failure auditing are enabled. Also verify that the policy is being applied to your domain controllers by running 'gpupdate /force' and checking with 'auditpol /get /subcategory:"Computer Account Management"'.
Can Event 4745 help detect security threats?+
Yes, Event 4745 is valuable for security monitoring and threat detection. Unauthorized computer account creation can indicate several security issues: attackers attempting to establish persistence by creating rogue computer accounts, privilege escalation attempts, or policy violations. Monitor for computer accounts created outside normal business hours, by unauthorized users, or in unusual organizational units. Correlate Event 4745 with subsequent authentication events (4624/4625) and account modification events (4741) to identify suspicious patterns. Implement alerting for multiple rapid computer account creations or accounts created by non-administrative users.
How do I query Event 4745 across multiple domain controllers?+
To query Event 4745 across multiple domain controllers, use PowerShell with Invoke-Command to execute remote queries. First, get your domain controller list with 'Get-ADDomainController -Filter *', then use a script like: 'Invoke-Command -ComputerName $DCs -ScriptBlock { Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4745} -MaxEvents 100 }'. For centralized monitoring, configure Windows Event Forwarding (WEF) to collect security events from all domain controllers to a central collector. You can also use tools like Microsoft Sentinel, Splunk, or other SIEM solutions to aggregate and analyze these events across your entire Active Directory infrastructure.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4745 and related computer account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies including computer account management auditing.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4745#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...