hi, i created few users in AD, and when i go to event viewer to see if these actions were audited, i can't find anything ! what is the event ID in event viewer of the newly created user in AD ?
March 17th, 2008 12:55am
Hi, Based on the research, these event IDs of Active Directory user account management is as followed. Event ID Action 4720 Create a user account 4724 Reset an account's password 4738 Change user account 4722 Enable a user account 4725 Disable a user account 4726 Delete a user account 4781 Change user account name You may see the detail information of event ID in the Event Viewer. Eventvwr -> Windows Logs -> Security Please note: the "Audit account management" should be enabled with a GPO which is linked to the corresponding container. Steps: Open the GPMC -> Create a GPO -> Edit the GPO -> expand "Computer Configuration" -> expand "Policies" -> expand "Windows Settings -> expand "Security Settings" -> expand "Local Policies" -> "Audit Policies" -> enable "Audit account management" with "Success" and "Failure" Please reset the computer to refresh the group policy and let it apply afterwards. Hope it helps.
March 17th, 2008 3:12pm
Hi David thanks for you reply. I read before that these events should be logged by default. When i checked the GPO , all are not defined yet, but when i run this command : auditpol.exe /get /Category:* i can see that some sub categories are enabled. but when i create a new user the event id 4720 is not logged !! If i enabled the GPO , it would then be the same as Win2k3. I want to benefit from the new auditing of win2k8. can you help me in this please.
March 17th, 2008 10:20pm
Do you have also a list of events ID for Computers. For example, Joining a machine to Domain, reset machine and so on. Thanks in advance.
March 18th, 2008 1:40am
Hi, Here are some Event ID about computer account. Event ID Action4742 Change a computer account4743Delete a computer account
March 18th, 2008 10:23am
Hi, This is great info David, thanks for sharing. _____________________________Tarek Majdalani Computer Engineer, CIW, MCSA: Security 2000/2003, TS: Windows Vista MVP -- ISA Firewalls Website : http://www.elmajdal.net/Win2k8
March 18th, 2008 11:04am
David Shen - MSFT wrote: Hi, Here are some Event ID about computer account. Event ID Action4742 Change a computer account4743Delete a computer account Do not forget to enable the Computer Account Management subcategory HTH, Tarek _____________________________Tarek Majdalani Computer Engineer, CIW, MCSA: Security 2000/2003, TS: Windows Vista MVP -- ISA Firewalls Website : http://www.elmajdal.net/Win2k8
March 18th, 2008 11:23am
David Shen - MSFT wrote: Hi, Here are some Event ID about computer account. Event ID Action4742 Change a computer account4743Delete a computer account Hi David, I started creating custom events so that where ever i go , i take these events with me and load them on the domain controllers. I am getting more interested in the events, can you also write down the events for GPO. for example creating new GPO, changing GPO, linking GPO , Deleting GPO and so on . Thank u very much.
March 19th, 2008 2:37pm
Hi NetSecurity, Base on my research, here are some Event IDs which are related to GPO. Event IDAction 4662An operation that was performed on an object in ActiveDirectory(create, delete, rename or link a GPO) 4719System audit policy was changed 4907Auditing settings on object were changed 1501There were no changes detected since the last successful processing of Group Policy 1502New settings from Group Policy object were detected and applied.(new GPO apply) Hope it helps.
March 20th, 2008 2:26pm