Re: Auditing Account management events

From: FEX (anonymous_at_discussions.microsoft.com)
Date: 11/29/04 

Date: Sun, 28 Nov 2004 17:59:32 -0800

ummm curiosly ,that's what I'm doing I enabled auditing
account management in the security policy on both domain
controllers (DC-OU) ; However i can't see any event id how
i told you .

>-----Original Message-----
>You don't need to do it that way and that would not work
anyhow for what you
>are looking for. Simply enable auditing of "account
management" in the
>security policy of the computer where you want to track
these events. If you
>are tracking events for domain users, enable auditing of
account management
>in Domain Controller Security Policy and view the
security logs of the
>domain controllers to find the related events. You can
use the free Event
>Comb tool from Microsoft to scan multiple computer logs
in the domain from a
>central point. See the link below for more details
including explanation of
>some Event ID's. --- Steve
>
>http://www.microsoft.com/technet/security/guidance/secmod1
44.mspx
>
>"fex" <anonymous@discussions.microsoft.com> wrote in
message
>news:0dcb01c4d5a6$35380e10$a501280a@phx.gbl...
>>
>> Hello,
>>
>> I've been auditing multiple events (System Events ,
>> Policy Changes , Logon Events , but specially all events
>> referents to Account management events like (User
Account
>> create, User Account Deleted , etc ) However , I applied
>> the auditing to the default group everyone on Defaul
>> Domain Controller Policy , to check specially all
changes
>> made by users with domain admin rights. But at this
moment
>> they are changing users -passwords - deleting users
and -
>> I don't receive any event id; for instance (ID:624-627-
630)
>> at the moment they applied any change on the DC.
>>
>> I would like to know what is my misconfiguration or I
need
>> more configuartion or the default group it is not
applied
>> right way ?
>>
>> I will thanks any comment !!!
>
>
>.
>

Relevant Pages

  • Re: Auditing Account management events
    ... Simply enable auditing of "account management" in the ... security policy of the computer where you want to track these events. ... are tracking events for domain users, enable auditing of account management ... in Domain Controller Security Policy and view the security logs of the ...
    (microsoft.public.win2000.group_policy)
  • Re: Security Log Event ID 537
    ... I have a small test network setup but with no ... NT4.0 clients as of now and my suggestions are based on settings that I know ... W2003 domain controllers have a somewhat different set of security options ... looking at the Domain Security Policy on one of the Windows 2000 domain ...
    (microsoft.public.win2000.security)
  • Re: log files
    ... For domain controllers enable auditing of account logon events in Domain ... Controller Security policy and you will then see when users are logging onto ... For computers other than domain controllers enable ...
    (microsoft.public.security)
  • Re: Auditing Account management events
    ... If you have configured auditing of account management in Domain Controller ... Security Policy, check the Local Security Policy of your domain controllers ...
    (microsoft.public.win2000.group_policy)
  • Re: Domain admin users audit
    ... I don't receive any account management Event on Domain ... Controllers however i received all logon events, ... >Account Management auditing will cover the ...
    (microsoft.public.win2000.active_directory)