Who Joined Computer Account to AD Domain

Who joined a particular computer to your domain can be an annoying question which may go back beyond your logs.  Even if you have captured the event, then you need to find the entry.  WhoJoinedPC.cmd looks at the security descriptor for “SPECIAL ACCESS for Validated write to DNS host name”, which is granted when the account is created.  Unlike the event log, if the user is member of Domain Admins or Enterprise Admins, only that group is recorded. 

Version 2 adds time stamp information, name resolution for owner, and some formatting changes.  If the computer account was imported rather than created, the imported date is recorded by AD as WhenCreated.

From a batch/scripting perspective, this had some interesting challenges solved by the FOR command and the temporary storage of variables in the environment.

Note that this requires DSQUERY, which is native on Server 2003 and later.  (It is on my XP workstation, but I am not sure if I loaded it with something else.)  The batch file queries the global catalog.  Use the SamAccount name (no $) instead of the FQDN.  Rename to .cmd.

Tags: Joined+Domain

About Alan

See http://www.akaplan.com/blog/about/
This entry was posted in Scripting, Windows Administration. Bookmark the permalink.

Leave a Reply