User accounts are the doorway into your domain and servers and if you aren’t monitoring changes to user accounts you are not secure and far from compliant. From a security perspective alone you need to have an audit trail of newly created domain user accounts and if you are following the best practice of avoiding local accounts you need to know right away when new local accounts appear on member servers. What about accounts that were disabled that are suddenly re-enabled? And then there are password reset; it’s so important to have audit trail that activity so that there’s some accountability over the help desk and others with the powerful password reset authority.
As with many areas of the security log, it’s not just a matter of know which event IDs to look for. You need to understand the how the implications are different for the same event ID when it comes from a member server as opposed to a domain controller. And of course there are the security log’s ever present caveats and “weirdnesses” which if you don’t know about you’ll waste time spinning your wheels, following wild goose chases - or worse - missing important changes.
In this webinar I will show you how to audit changes to both domain and local user accounts. You’ll find configure the right audit policy to produce the right events and you’ll learn what events to look for. I’ll make sure you know the arcane little things about these events that make all the difference in monitoring user account changes, detecting suspicious events and meeting your compliance requirements.