[Forgot Password]
Login  Register Subscribe












Paid content will be excluded from the download.

Download | Alert*

Ensure Audit Success and Failure for 'Audit Policy: Account Management: User Account Management'

ID: oval:org.secpod.oval:def:35489Date: (C)2016-06-10   (M)2018-03-24
Class: COMPLIANCEFamily: windows

This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Note: This setting also audits queries as well as user account changes. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: http://support.microsoft.com/kb/947226.

Microsoft Windows 10
CCE    1

© SecPod Technologies