CCE-35727-7
Audit account management This policy setting determines whether to audit each account management event on a computer. Examples of account management events include: - A user account or group is created, changed, or deleted. - A user account is renamed, disabled, or enabled. - A password is set or changed. Organizations need to be able to determine who creates, modifies, or deletes both domain and local accounts. Unauthorized changes could indicate mistaken changes made by an administrator who does not understand how to follow organizational policies, but could also indicate a deliberate attack. The following table includes the important security events that this policy setting records in the Security log. These event IDs can be useful when you want to create custom alerts to monitor any software suite, such as MOM. Most operational management software can be customized with scripts to capture or flag events that are based on these event IDs. Table 4.4 Account Management Events Event ID Event description: 624 - A user account was created. 627 - A user password was changed. 628 - A user password was set. 630 - A user account was deleted. 631 - A global group was created. 632 - A member was added to a global group. 633 - A member was removed from a global group. 634 - A global group was deleted. 635 - A new local group was created. 636 - A member was added to a local group. 637 - A member was removed from a local group. 638 - A local group was deleted. 639 - A local group account was changed. 641 - A global group account was changed. 642 - A user account was changed. 643 - A domain policy was modified. 644 - A user account was automatically locked. 645 - A computer account was created. 646 - A computer account was changed. 647 - A computer account was deleted. 648 - A local security group with security disabled was created. Note: SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. 649 - A local security group with security disabled was changed. 650 - A member was added to a security-disabled local security group. 651 - A member was removed from a security-disabled local security group. 652 - A security-disabled local group was deleted. 653 - A security-disabled global group was created. 654 - A security-disabled global group was changed. 655 - A member was added to a security-disabled global group. 656 - A member was removed from a security-disabled global group. 657 - A security-disabled global group was deleted. 658 - A security-enabled universal group was created. 659 - A security-enabled universal group was changed. 660 - A member was added to a security-enabled universal group. 661 - A member was removed from a security-enabled universal group. 662 - A security-enabled universal group was deleted. 663 - A security-disabled universal group was created. 664 - A security-disabled universal group was changed. 665 - A member was added to a security-disabled universal group. 666 - A member was removed from a security-disabled universal group. 667 - A security-disabled universal group was deleted. 668 - A group type was changed. 684 - The security descriptor of administrative group members was set. Note: Every 60 minutes on a domain controller, a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged. 685 - Name of an account was changed. Parameter:
|
||||||||||||||||||||||||||||||||||||||||||||||||||
 |
30430 |
 |
423868 |
 |
247621 |
 |
909 |
 |
194512 |
 |
282 |
