WinSecWiki » Windows Security Settings » Local Policies » Audit Policy » Audit account management

Other Account Management Events

whsmith — Tue, 28 Aug 2012 15:13:59 GMT

Miscellaneous account management events. Logged on member servers and workstations in addition to domain controllers. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4739	Domain Policy was changed.
4793	The Password Policy Checking API was called.

Application Group Management

whsmith — Tue, 28 Aug 2012 15:09:32 GMT

Application groups are part of Windows's role based access control for applications and are maintained in the Authorization Manager MMC snap-in. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4783	A basic application group was created.
4784	A basic application group was changed.
4785	A member was added to a basic application group.
4786	A member was removed from a basic application group.
4787	A non-member was added to a basic application group.
4788	A non-member was removed from a basic application group.
4789	A basic application group was deleted.
4790	An LDAP query group was created.
4791	A basic application group was changed.
4792	An LDAP query group was deleted.

Distribution Group Management

whsmith — Tue, 28 Aug 2012 14:42:53 GMT

This event is only logged on domain controllers. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy. In Active Directory Users and Computers "Security Disabled" groups are referred to as Distribution groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists.

Coverage on events generated by this category is currently are the Security Log Encyclopedia:

Event ID	Title
4744	A security-disabled local group was created.
4745	A security-disabled local group was changed.
4746	A member was added to a security-disabled local group.
4747	A member was removed from a security-disabled local group.
4748	A security-disabled local group was deleted.
4749	A security-disabled global group was created.
4750	A security-disabled global group was changed
4751	A member was added to a security-disabled global group.
4752	A member was removed from a security-disabled global group.
4753	A security-disabled global group was deleted.
4759	A security-disabled universal group was created.
4760	A security-disabled universal group was changed.
4761	A member was added to a security-disabled universal group.
4762	A member was removed from a security-disabled universal group.
4763	A security-disabled universal group was deleted.

Security Group Management

whsmith — Tue, 28 Aug 2012 14:40:44 GMT

This category is logged on workstations, member servers and domain controllers. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy.

Active Directory

In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists.

A domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain.

Local SAM

All groups are security groups in the computer's SAM. Local SAM groups can be granted access to objects on the local computer only but may have members from the local SAM and any trusted domain.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4727	A security-enabled global group was created.
4728	A member was added to a security-enabled global group.
4729	A member was removed from a security-enabled global group.
4730	A security-enabled global group was deleted.
4731	A security-enabled local group was created.
4732	A member was added to a security-enabled local group.
4733	A member was removed from a security-enabled local group.
4734	A security-enabled local group was deleted.
4735	A security-enabled local group was changed.
4737	A security-enabled global group was changed.
4754	A security-enabled universal group was created.
4755	A security-enabled universal group was changed.
4756	A member was added to a security-enabled universal group.
4757	A member was removed from a security-enabled universal group.
4758	A security-enabled universal group was deleted.
4764	A groups type was changed.

Computer Account Management

whsmith — Tue, 28 Aug 2012 14:29:27 GMT

This category is only logged on domain controllers. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4741	A computer account was created.
4742	A computer account was changed.
4743	A computer account was deleted.

User Account Management

whsmith — Tue, 21 Aug 2012 15:03:10 GMT

This category tracks changes to local user accounts on workstations, member servers and Active Directory domain user accounts on domain controllers. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4720	A user account was created.
4722	A user account was enabled.
4723	An attempt was made to change an account's password.
4724	An attempt was made to reset an accounts password.
4725	A user account was disabled.
4726	A user account was deleted.
4738	A user account was changed.
4740	A user account was locked out.
4767	A user account was unlocked.
4780	The ACL was set on accounts which are members of administrators groups.
4781	The name of an account was changed:
4794	An attempt was made to set the Directory Services Restore Mode administrator password
5376	Credential Manager credentials were backed up.
5377	Credential Manager credentials were restored from a backup.

OVERVIEW: Audit Account Management

instantasp@gmail.com — Thu, 02 Apr 2009 18:12:29 GMT

The Audit account management events policy, which you can use to monitor changes to user accounts and groups, is valuable for auditiing the activity of administrators and Help Desk staff. This policy logs password resets, newly crated accounts, and changes to group memebership. On DCs, the policy logs changes to domain users, domain groups, and computer accounts. On member servers, it logs changes to local users and groups. We have not observed any failure events in this category.

The following is an exerpt from my book, The Windows Server Security Log Revealed :

The Account Management security log category is particularly valuable because you can use it to track maintenance of user, group, and computer objects in AD as well as to track local users and groups in member server and workstation SAMs. This category is also very easy to use because Windows uses a different even ID for each type of object and operation.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Account Management (Windows Server 2008 and Vista) .