Brian, > To summarize, Windows logged "User Account Created" > (EventID 624) instead of "Computer Account Created" > (EventID 645). This is Windows NT 4 running as a > primary domain controller. I'm certain the latest > service packs are installed and about to confirm. I > could not find any relvevant MS knowledge base > articles or hits in Google. Has anyone every seen > similar unusual behaviour? This very may well have been expected behaviour, by design. Have you attempted to replicate it in any way? ===== ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://groups.yahoo.com/group/windowsir/ "Meddle not in the affairs of dragons, for you are crunchy, and good with ketchup." "The simplicity of this game amuses me. Bring me your finest meats and cheeses." ------------------------------------------ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Oct 07 2004 - 10:38:13 PDT