WinSecWiki > Security Settings > Local Policies > Audit Policy > Account Management

Audit Account Management

The Audit account management events policy, which you can use to monitor changes to user accounts and groups, is valuable for auditiing the activity of administrators and Help Desk staff.  This policy logs password resets, newly crated accounts, and changes to group memebership. On DCs, the policy logs changes to domain users, domain groups, and computer accounts.  On member servers, it logs changes to local users and groups. We have not observed any failure events in this category.

The following is an exerpt from my book, The Windows Security Log Revealed:

The Account Management security log category is particularly valuable because you can use it to track maintenance of user, group, and computer objects in AD as well as to track local users and groups in member server and workstation SAMs.  This category is also very easy to use because Windows uses a different even ID for each type of object and operation.

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

• Windows XP, 2000 and 2003: I recommend enabling this policy for success and failure on all computers including workstations.
• Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Account Management (Windows Server 2008 and Vista).

Child articles:

• User Account Management
• Computer Account Management
• Security Group Management
• Distribution Group Management
• Application Group Management
• Other Account Management Events

Back to top

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources