ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Active Directory Users and Computers console showing computer account management interface
Event ID 4761InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4761 – Microsoft-Windows-Security-Auditing: Computer Account Created

Event ID 4761 logs when a computer account is created in Active Directory. This security audit event tracks domain computer additions for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4761Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4761 represents a fundamental security audit event in Windows Active Directory environments. When this event fires, it indicates that a new computer account has been successfully created within the domain structure. The event is generated by the Microsoft-Windows-Security-Auditing provider and appears exclusively in the Security event log on domain controllers.

The event contains comprehensive information about the account creation process, including the security context of the user or service that initiated the creation, the target computer account details, and the Active Directory location where the account was placed. This granular logging enables administrators to maintain detailed audit trails of all computer account modifications within their domain infrastructure.

From a security perspective, Event ID 4761 serves as a critical monitoring point for detecting unauthorized computer additions to the domain. Attackers who gain sufficient privileges might attempt to create rogue computer accounts to establish persistence or facilitate lateral movement. Regular monitoring of these events helps security teams identify such activities and respond appropriately.

The event also plays a vital role in compliance frameworks that require detailed logging of directory service changes. Organizations subject to regulations like SOX, HIPAA, or PCI-DSS often rely on Event ID 4761 logs to demonstrate proper access controls and change management procedures for their Active Directory infrastructure.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025Active Directory Domain Controllers
Analysis

Possible Causes

  • Domain join operations when computers are added to the Active Directory domain
  • Manual computer account creation through Active Directory Users and Computers console
  • Automated provisioning systems creating computer accounts via PowerShell or other management tools
  • System Center Configuration Manager or similar deployment tools pre-staging computer accounts
  • Exchange Server creating computer accounts for certain roles or services
  • Third-party directory management tools performing bulk computer account creation
  • PowerShell scripts using New-ADComputer cmdlet or similar Active Directory modules
  • LDAP-based applications programmatically creating computer accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand the context of the computer account creation.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4761 using the filter option
  4. Double-click on a recent Event ID 4761 entry
  5. Review the following key fields in the event details:
    • Subject: Shows who created the account (Security ID, Account Name, Domain)
    • New Computer Account: Displays the created computer name and domain
    • Attributes: Lists the distinguished name and other account properties
  6. Check the timestamp to correlate with known system activities
  7. Note the Logon ID to trace related authentication events
Pro tip: Cross-reference the Subject Security ID with Event ID 4624 (logon events) to understand the full authentication context.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4761 occurrences across your domain controllers.

  1. Open PowerShell as Administrator on a domain controller
  2. Query recent computer account creation events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='Computer';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*New Computer Account:*'} | Select-Object -First 1) -replace '.*Account Name:\s*(.*)','$1'}}, @{Name='Creator';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*'} -A 3 | Where-Object {$_ -like '*Account Name:*'}) -replace '.*Account Name:\s*(.*)','$1'}}
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761; StartTime=$StartTime}
$Events | Format-Table TimeCreated, Id, MachineName -AutoSize
  4. Export results for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761} -MaxEvents 100 | Export-Csv -Path "C:\Temp\ComputerAccountCreation.csv" -NoTypeInformation
  5. Search for specific computer account patterns:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761} | Where-Object {$_.Message -like '*WORKSTATION*'} | Select-Object TimeCreated, Message
03

Correlate with Active Directory Logs

Cross-reference Event ID 4761 with other Active Directory events to build a complete picture of computer account management activities.

  1. Check Directory Service logs for additional context:
    Get-WinEvent -FilterHashtable @{LogName='Directory Service'; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like '*computer*'}
  2. Look for related security events around the same timeframe:
    $TimeWindow = 5 # minutes
$Event4761 = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761} -MaxEvents 1
$StartTime = $Event4761.TimeCreated.AddMinutes(-$TimeWindow)
$EndTime = $Event4761.TimeCreated.AddMinutes($TimeWindow)
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime} | Where-Object {$_.Id -in @(4624,4625,4768,4769)} | Format-Table TimeCreated, Id, Message -Wrap
  3. Query DNS logs for computer registration:
    Get-WinEvent -FilterHashtable @{LogName='DNS Server'} | Where-Object {$_.Message -like '*computer_name*'}
  4. Check Group Policy logs if computer accounts are being added to specific OUs:
    Get-WinEvent -FilterHashtable @{LogName='System'} | Where-Object {$_.Id -eq 1006 -and $_.Message -like '*Group Policy*'}
  5. Use Active Directory PowerShell module to verify account details:
    Import-Module ActiveDirectory
Get-ADComputer -Filter "Created -gt '$((Get-Date).AddDays(-1).ToString('yyyy-MM-dd'))'" -Properties Created, CreatedBy | Format-Table Name, Created, CreatedBy
04

Implement Advanced Monitoring and Alerting

Set up comprehensive monitoring to track computer account creation patterns and detect anomalies.

  1. Create a custom Windows Event Forwarding subscription:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>ComputerAccountCreation</SubscriptionId>
  <SubscriptionType>SourceInitiated</SubscriptionType>
  <Description>Monitor computer account creation events</Description>
  <Enabled>true</Enabled>
  <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
  <Query><![CDATA[
    <QueryList>
      <Query Id="0">
        <Select Path="Security">*[System[EventID=4761]]</Select>
      </Query>
    </QueryList>
  ]]></Query>
</Subscription>
  2. Configure PowerShell-based alerting script:
    Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_NTLogEvent' AND TargetInstance.LogFile = 'Security' AND TargetInstance.EventCode = 4761" -Action {
    $Event = $Event.SourceEventArgs.NewEvent.TargetInstance
    $Message = "Computer account created: $($Event.Message)"
    Write-EventLog -LogName Application -Source "CustomMonitoring" -EventId 1001 -Message $Message
    # Add email notification or SIEM integration here
}
  3. Set up scheduled task to analyze patterns:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AnalyzeComputerCreation.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "09:00AM"
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName "ComputerAccountAnalysis" -Action $Action -Trigger $Trigger -Settings $Settings
  4. Create baseline metrics for normal computer account creation rates
  5. Configure SIEM integration to correlate with other security events
Warning: Ensure proper permissions are configured for event forwarding and monitoring scripts to prevent security gaps.
05

Forensic Analysis and Incident Response

Perform detailed forensic analysis when investigating suspicious computer account creation activities.

  1. Extract detailed event information for forensic analysis:
    $SuspiciousEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761; StartTime=(Get-Date).AddDays(-30)}
$DetailedAnalysis = foreach ($Event in $SuspiciousEvents) {
    $EventXML = [xml]$Event.ToXml()
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUserSid = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserSid'} | Select-Object -ExpandProperty '#text'
        SubjectUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        TargetUserName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        TargetDomainName = $EventXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetDomainName'} | Select-Object -ExpandProperty '#text'
    }
}
$DetailedAnalysis | Export-Csv -Path "C:\Forensics\Event4761_Analysis.csv" -NoTypeInformation
  2. Correlate with authentication events to trace the attack chain:
    $TimeRange = 30 # minutes before and after
foreach ($Event in $SuspiciousEvents) {
    $StartTime = $Event.TimeCreated.AddMinutes(-$TimeRange)
    $EndTime = $Event.TimeCreated.AddMinutes($TimeRange)
    $RelatedEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime; Id=@(4624,4625,4648,4672)}
    Write-Output "Events around $($Event.TimeCreated):"
    $RelatedEvents | Format-Table TimeCreated, Id, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Account Name:*'} | Select-Object -First 1) -replace '.*Account Name:\s*(.*)','$1'}}
}
  3. Check for privilege escalation indicators:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Where-Object {$_.TimeCreated -gt (Get-Date).AddDays(-7)} | Format-Table TimeCreated, @{Name='User';Expression={($_.Message -split '\n' | Where-Object {$_ -like '*Subject:*'} -A 3 | Where-Object {$_ -like '*Account Name:*'}) -replace '.*Account Name:\s*(.*)','$1'}}
  4. Generate comprehensive incident report:
    $IncidentReport = @{
    'Investigation_Date' = Get-Date
    'Suspicious_Events' = $SuspiciousEvents.Count
    'Affected_Computers' = ($DetailedAnalysis | Select-Object -Unique TargetUserName).Count
    'Unique_Creators' = ($DetailedAnalysis | Select-Object -Unique SubjectUserName).Count
    'Time_Range' = "$($SuspiciousEvents | Measure-Object TimeCreated -Minimum | Select-Object -ExpandProperty Minimum) to $($SuspiciousEvents | Measure-Object TimeCreated -Maximum | Select-Object -ExpandProperty Maximum)"
}
$IncidentReport | ConvertTo-Json | Out-File "C:\Forensics\Event4761_IncidentReport.json"
  5. Document findings and preserve evidence for potential legal proceedings

Overview

Event ID 4761 fires whenever a computer account is created in Active Directory. This security audit event appears in the Security log on domain controllers and provides detailed information about who created the computer account, when it was created, and which organizational unit it was placed in. The event is part of Windows' comprehensive security auditing framework and is essential for tracking domain computer additions.

This event typically occurs during domain join operations, when administrators manually create computer accounts through Active Directory Users and Computers, or when automated systems provision new machines. The event captures critical details including the creator's security identifier, the computer account name, and the distinguished name of the target location in Active Directory.

System administrators rely on Event ID 4761 for security compliance, change tracking, and investigating unauthorized computer account creation. The event works in conjunction with other security audit events to provide a complete picture of Active Directory modifications. Understanding this event is crucial for maintaining proper security oversight in enterprise environments.

Frequently Asked Questions

What does Event ID 4761 mean and when does it occur?+
Event ID 4761 indicates that a computer account has been created in Active Directory. This event fires whenever a new computer object is added to the domain, whether through domain join operations, manual creation via administrative tools, or automated provisioning systems. The event appears in the Security log on domain controllers and provides detailed information about who created the account, when it was created, and where it was placed in the directory structure. This is a normal operational event that occurs during legitimate computer deployment and domain management activities.
How can I identify who created a specific computer account using Event ID 4761?+
Event ID 4761 contains detailed subject information that identifies the creator of the computer account. In the event details, look for the 'Subject' section which includes the Security ID, Account Name, Account Domain, and Logon ID of the user or service that created the account. You can use PowerShell to extract this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4761} | ForEach-Object {$_.Message -split '\n' | Where-Object {$_ -like '*Subject:*' -or $_ -like '*Account Name:*'}}. The Logon ID can be cross-referenced with Event ID 4624 (successful logon) to get additional context about the authentication session.
Is Event ID 4761 a security concern that requires immediate attention?+
Event ID 4761 itself is an informational event that represents normal Active Directory operations. However, it becomes a security concern when computer accounts are created unexpectedly, outside of normal business processes, or by unauthorized users. Monitor for patterns such as computer accounts created during off-hours, by service accounts that shouldn't have this privilege, or in unusual organizational units. Establish baselines for normal computer account creation rates and investigate deviations. The event should be part of your security monitoring strategy but doesn't inherently indicate malicious activity.
How do I configure auditing to ensure Event ID 4761 is properly logged?+
Event ID 4761 is generated when the 'Audit Computer Account Management' policy is enabled. To configure this: Open Group Policy Management, edit the Default Domain Controllers Policy, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management, and enable 'Audit Computer Account Management' for both Success and Failure events. Apply the policy using gpupdate /force. You can verify the current audit settings using auditpol /get /subcategory:'Computer Account Management'. This ensures all computer account creation, modification, and deletion activities are logged.
Can Event ID 4761 help me track unauthorized domain joins or rogue computers?+
Yes, Event ID 4761 is essential for tracking unauthorized domain joins and identifying rogue computers. When a computer joins the domain, this event logs the creation of the computer account along with details about who initiated the join operation. Monitor for computer accounts created by unexpected users, during unusual hours, or with naming patterns that don't match your organization's standards. Correlate Event ID 4761 with DNS registration events and DHCP logs to get a complete picture of new systems joining your network. Set up automated alerts for computer account creation outside of approved deployment windows or by unauthorized personnel to quickly identify potential security incidents.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4761 and related computer account management events.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation on configuring advanced audit policies for Active Directory computer account management monitoring.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4761#active-directory#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...