Audit trail of AD Account

  • Thread starter Thread starter YMan
  • Start date Start date
Y

YMan

Hi,

Yes I have another question.

When the administrator disable an account in Active Directory. Is there any
way to set up audit trail that will show when the account is being disabled?
For example, a staff is leaving the company and the administrator will
disable his / her account by the time s/he leaves for good. Will there be
any log to record the event that the administrator actually disabled that
user's account in AD? If not within Microsoft, what will be the options?

Thanks
 
Hi,

Yes I have another question.

When the administrator disable an account in Active Directory. Is there any
way to set up audit trail that will show when the account is being disabled?
For example, a staff is leaving the company and the administrator will
disable his / her account by the time s/he leaves for good. Will there be
any log to record the event that the administrator actually disabled that
user's account in AD? If not within Microsoft, what will be the options?

Thanks
Click to expand...
From the Help file:

Group Policy

Audit account managementComputer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Description
Determines whether to audit each event of account management on a computer. Examples of account management events include the following:

A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an
audit entry when any account management event fails. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default: No auditing.

For more information, see:

Security Configuration Manager Tools
 
YMan said:
Hi,

Yes I have another question.

When the administrator disable an account in Active Directory. Is there any
way to set up audit trail that will show when the account is being disabled?
For example, a staff is leaving the company and the administrator will
disable his / her account by the time s/he leaves for good. Will there be
any log to record the event that the administrator actually disabled that
user's account in AD? If not within Microsoft, what will be the options?

Thanks
Click to expand...

You only get auditing if you turn it on (it's not on by default). You can turn
it on by editing the local policy of the domain controller or editing the group
policy for the domainc ontroller and edit the audit settings under the Computer
Configuration section of the policy. Account Management is what you need
auditing on for. The audit entries will appear in the security event log for
the DC.
 
Back
Top