Why would an attacker create a computer account instead of a user account?

Computer accounts have several properties that make them more attractive for certain attacks. First, any domain user can create up to 10 computer accounts by default (MachineAccountQuota), without needing admin rights — unlike creating privileged user accounts. Second, computer accounts can have Service Principal Names (SPNs) registered on them, making them valid Kerberoasting targets. Third, computer accounts can be configured for resource-based constrained delegation (RBCD), allowing the attacker to impersonate any user to services that trust the rogue computer account. Finally, Active Directory accepts computer accounts as DC registrations via the DRS protocol, enabling DCSync and DCShadow attacks that bypass normal AD change logging.

How do I detect MachineAccountQuota abuse?

The primary signal is a 4741 event where the Subject Account Name is a regular domain user rather than a Domain Admin or provisioning service account. To build a detection rule, establish a baseline of which accounts legitimately create computer objects (usually a limited set of service accounts used by SCCM, Intune, or your AD provisioning tool) and alert on any 4741 from outside that list. Additionally, audit MachineAccountQuota itself — setting it to 0 via `Set-ADDomain -Identity yourdomain.com -Replace @{'ms-DS-MachineAccountQuota'=0}` removes the ability for non-admins to create computer accounts entirely, which eliminates this attack vector while affecting almost no legitimate workflows in modern environments using centralized provisioning.

What is resource-based constrained delegation and why does Event 4741 matter for it?

Resource-based constrained delegation (RBCD) is a Kerberos delegation model where a service (the resource) specifies which other accounts are trusted to delegate to it, stored in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. An attacker who can create a computer account (via MachineAccountQuota) and write to that attribute on a target machine can configure the rogue computer account as a trusted delegator, then use Kerberos S4U2Proxy to obtain a service ticket impersonating any user — including Domain Admins — to the target machine. Event 4741 is the first step in this chain: the rogue computer account creation. Event 4742 then captures the delegation attribute being set. Together, 4741+4742 within minutes of each other, performed by a non-admin, with delegation attributes being modified, is a reliable RBCD attack detection signature.

Scan your Security and Sysmon logs·Detection guides

Event ID 4741Audit SuccessSecurityT1136.003

Windows Event ID 4741 — Computer Account Created

Logged when a new computer account is created in Active Directory. The default MachineAccountQuota (10) allows any domain user — not just admins — to create computer accounts, making this a common attacker primitive. Attackers exploit this to create accounts with SPNs for Kerberoasting, set up resource-based constrained delegation (RBCD) attacks, or register a rogue domain controller for DCSync and DCShadow operations.

MITRE ATT&CK

Technique

T1136.003 · Create Account: Domain Account

Tactic

Persistence

View on attack.mitre.org →

Why It Matters

Computer account creation by a non-admin is a reliable signal for MachineAccountQuota abuse. A new computer account with SPNs is an immediate Kerberoasting target — an attacker can request a service ticket for that SPN and crack the computer account's hash offline without any further escalation. For DCSync and DCShadow attacks, registering a rogue DC via LDAP produces a 4741 event as the first step in the attack chain, making early detection here critical to preventing undetected AD replication abuse.

Key Fields

Computer Account NameThe name of the newly created computer account — always ends in `$`. Random names like WIN-A3B7C$ or sequential names are characteristic of attacker-created accounts, whereas legitimate accounts typically match a naming convention tied to an actual hostname.

Subject Account NameThe account that created the computer object — this is the most important field. Any non-Domain Admin or non-provisioning account creating a computer object is suspicious and indicates MachineAccountQuota abuse.

DNS Host NameThe DNS hostname assigned to the new account. Attacker-created accounts often have random or generic DNS names that do not correspond to any real machine registered in DNS — cross-reference against DHCP/DNS records.

Service Principal NamesSPNs registered on the new computer account at creation time. SPNs present on a freshly created account indicate the creator immediately configured Kerberoasting capability — this is rarely done by legitimate provisioning processes at creation time.

PrivilegesPrivilege flags set on the new account. If SeEnableDelegationPrivilege is set at creation, the account is configured for delegation abuse — an attacker preparing an RBCD attack will set delegation attributes during or immediately after account creation.

Investigation Tips

1.Non-admin creator is the primary signal: check Subject Account Name against your list of authorized provisioning accounts and Domain Admins. Any domain user outside that list creating a computer account is exploiting MachineAccountQuota — check if the account has previously created other computer objects (MachineAccountQuota allows up to 10 per user).
2.SPN at creation = Kerberoasting setup: if Service Principal Names is populated in the 4741 event, correlate with Event 4769 (Kerberos service ticket requests) for that SPN within the next 24 hours. An SPN requested immediately after account creation with an RC4 encryption type is a confirmed Kerberoasting attack in progress.
3.Random or sequential computer names: attackers using tools like PowerMad or impacket to abuse MachineAccountQuota generate names like DESKTOP-A3B7, WORKSTATION-01, or similar generic strings. Compare against your actual machine naming convention — any deviation from the convention warrants investigation.
4.DCSync and DCShadow chain: DCShadow attacks create a rogue DC registration via LDAP, which generates a 4741 event. If the new computer account name ends in `$` and was created by a non-DC account, check for 4929 (source DSA non-responding) events from non-DC IPs, which indicate the rogue DC initiated replication.
5.Check MachineAccountQuota: run `Get-ADDomain | Select-Object -ExpandProperty ComputerObjectsForSite` to verify the domain default. If MachineAccountQuota is 0 and a computer account was still created by a non-admin, that account has been granted explicit CreateChild rights on an OU — audit those OU permissions.

Related Event IDs

4742Computer account changed — modifications after creation often add SPNs or set delegation flags for the attack payload

4743Computer account deleted — attacker cleanup; 4741+4743 pair within days with no AD join record is the backdoor lifecycle

4769Kerberos service ticket — correlate for requests against the new computer account's SPN within 24h of 4741

4728Member added to global group — rogue DC computer account added to Domain Admins as part of DCSync/DCShadow setup

Frequently Asked Questions

Why would an attacker create a computer account instead of a user account?: Computer accounts have several properties that make them more attractive for certain attacks. First, any domain user can create up to 10 computer accounts by default (MachineAccountQuota), without needing admin rights — unlike creating privileged user accounts. Second, computer accounts can have Service Principal Names (SPNs) registered on them, making them valid Kerberoasting targets. Third, computer accounts can be configured for resource-based constrained delegation (RBCD), allowing the attacker to impersonate any user to services that trust the rogue computer account. Finally, Active Directory accepts computer accounts as DC registrations via the DRS protocol, enabling DCSync and DCShadow attacks that bypass normal AD change logging.
How do I detect MachineAccountQuota abuse?: The primary signal is a 4741 event where the Subject Account Name is a regular domain user rather than a Domain Admin or provisioning service account. To build a detection rule, establish a baseline of which accounts legitimately create computer objects (usually a limited set of service accounts used by SCCM, Intune, or your AD provisioning tool) and alert on any 4741 from outside that list. Additionally, audit MachineAccountQuota itself — setting it to 0 via `Set-ADDomain -Identity yourdomain.com -Replace @{'ms-DS-MachineAccountQuota'=0}` removes the ability for non-admins to create computer accounts entirely, which eliminates this attack vector while affecting almost no legitimate workflows in modern environments using centralized provisioning.
What is resource-based constrained delegation and why does Event 4741 matter for it?: Resource-based constrained delegation (RBCD) is a Kerberos delegation model where a service (the resource) specifies which other accounts are trusted to delegate to it, stored in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. An attacker who can create a computer account (via MachineAccountQuota) and write to that attribute on a target machine can configure the rogue computer account as a trusted delegator, then use Kerberos S4U2Proxy to obtain a service ticket impersonating any user — including Domain Admins — to the target machine. Event 4741 is the first step in this chain: the rogue computer account creation. Event 4742 then captures the delegation attribute being set. Together, 4741+4742 within minutes of each other, performed by a non-admin, with delegation attributes being modified, is a reliable RBCD attack detection signature.

Full Detection Guide Available

This event ID has a full detection guide with investigation steps, remediation advice, and example log entries.

View full guide for Event ID 4741 →

See Event ID 4741 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects computer account created patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →

← All detection guides·Analyze EVTX Logs Free →