Auditing Account management events

  • Thread starter Thread starter fex
  • Start date Start date
F

fex

Hello,

I've been auditing multiple events (System Events ,
Policy Changes , Logon Events , but specially all events
referents to Account management events like (User Account
create, User Account Deleted , etc ) However , I applied
the auditing to the default group everyone on Defaul
Domain Controller Policy , to check specially all changes
made by users with domain admin rights. But at this moment
they are changing users -passwords - deleting users and -
I don't receive any event id; for instance (ID:624-627-630)
at the moment they applied any change on the DC.

I would like to know what is my misconfiguration or I need
more configuartion or the default group it is not applied
right way ?

I will thanks any comment !!!
 
You don't need to do it that way and that would not work anyhow for what you
are looking for. Simply enable auditing of "account management" in the
security policy of the computer where you want to track these events. If you
are tracking events for domain users, enable auditing of account management
in Domain Controller Security Policy and view the security logs of the
domain controllers to find the related events. You can use the free Event
Comb tool from Microsoft to scan multiple computer logs in the domain from a
central point. See the link below for more details including explanation of
some Event ID's. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx
 
ummm curiosly ,that's what I'm doing I enabled auditing
account management in the security policy on both domain
controllers (DC-OU) ; However i can't see any event id how
i told you .
 
If you have configured auditing of account management in Domain Controller
Security Policy, check the Local Security Policy of your domain controllers
to see if it shows as "effective" setting [ assuming W2K] for both of them
for auditing of account management for success and failure.. If it does and
you still do not see the events recorded, try clearing the security logs on
both domain controllers [saving them to file if need be] and increasing the
size of the security logs quite a bit to say at least 10 mb. By default the
security log is small and will stop recording events until manually cleared
after it fills up. --- Steve
 
Back
Top