User Account Permissions changed...

  • Thread starter Thread starter Jeremy Mitchell
  • Start date Start date
J

Jeremy Mitchell

I have searched the group and the web but havent found the specifics to where
I can find the answer to my question.

Where in Event viewer can I find what account was used to change a users
account group? The user was added to the local machine as an administrator.
I have searched Event Viewer but cannot find it in the logs. What is the
event ID for an account permission change?

Thanks for your help. Also, if this has been answered before, please post
the link.
 
Jeremy

I don't think changing a user account type is logged in the event viewer. It
would take an admin account to perform this type of action.
 
Ronnie,

Thanks for the response. After further investigation, if I am not mistaken,
I believe this event would only be logged if the "Audit account Management"
subcategory is enabled in the Local Security Policy on each PC, or the parent
Audit Policy was enabled, which would turn on all auditing events. The IT
person who elevated the user's permissions does have domain admin rights. I
just wanted to try and find concrete evidence.

From what I have read, when all auditing features are enabled, you should be
able to go back and find anything that was done on the pc. This is not a
best practice for most, however.
 
Jeremy

Your assessment appears to be correct. Like you said, it's not considered a
best practice, but if there is a problem this would be a good way to resolve
it.
 
Back
Top