@echo off
rem Alan Kaplan 9/16/2009 alan dot kaplan at va dot gov
rem this tries to determine who joined a PC to a domain by looking
rem at the security descripter for who has validated write to DNS host name
rem unfortunately, if user is part of domain admins, all you see is domain admins
rem Global catalog is searched.
rem 9/17/2009 v. 1.1 Added handling for computer not found and domain admins
rem also user name resolution and date created stamp.

setlocal

if %1z == z echo Find who joined what computer account to domain& set /p PCName=(use SAMAccount, (EX: %COMPUTERNAME%, not FQDN): &goto main
set PCName=%1

:main
rem note this is back single quote, ` and not '
rem put DN into environment variable DN

for /f "usebackq delims=;" %%x in (`dsquery computer forestroot  -samid %PCName%$`) do (
      SET DN=%%x
)


REM Find the line you want
for /f "usebackq delims=;" %%x in (`dsacls %DN% ^| find /i "DNS" ^| find /v "SELF"`) do (
      SET output=%%x
)

cls
rem start at 6, go thru 25. Should be enough
set ObjCreator=%output:~6,25%

set ObjCreator | find "Domain Admins" > nul
if %errorlevel%==0 goto DA

set ObjCreator | find "Enterprise Admins" > nul
if %errorlevel%==0 goto EA

:IsEmpty
set ObjCreator | find "\" > nul
if %errorlevel%==1 goto NotFound

echo %PCName% joined to the domain by %ObjCreator%
for /f "tokens=1,2 delims=\" %%a in ("%ObjCreator%") do set NTName=%%b
dsquery user forestroot -samid %NTName% -o rdn
Goto DateCreated

:DA
echo %PCName% joined by a member of Domain Admins. 
echo They are not individually identified in AD.
goto DateCreated

:EA
echo %PCName% joined by a member of Enterprise Admins. 
echo They are not individually identified in AD.
Goto DateCreated

:DateCreated
Echo.
echo AD account creation:
dsquery * forestroot -filter "(&(objectCategory=computer)(samaccountname=%PCName%$))" -attr whenCreated
Goto End

:NotFound
Echo Computer account %PCName% was not found

:end
Endlocal
pause