Please enable JavaScript to view this site.

Account management tracking intercepts events related to the creation, modification and deletion of user accounts, groups and computer accounts. Depending on the type of computer this feature is being used, either local or domain accounts will be tracked.

 

User Account Management

 

User Creation & Deletion

Tracks when user accounts are created or deleted.

 

User Account Modifications

Tracks when user accounts are modified, e.g. when a password is set.

 

User Status Changes

Tracks user status changes, e.g. when a user account is disabled or enabled.

 

Event Log 32 n t

Event IDs

User Account Management

 

Windows XP, Windows 2003 and before

624, 626, 628, 629, 630, 642, 644, 671

 

Windows Vista, Windows 2008 and later

4720, 4722, 4724, 4725, 4726, 4738, 4740, 4767

 

Group Management

 

Group Addition & Deletion

Tracks when groups are created or deleted.

 

Group Modifications

Tracks when groups are modified, e.g. when a global group is changed to a universal group.

 

Group Membership Changes

Tracks changes to the group membership, e.g. when members are added or removed from a group.

 

Security-Enabled Groups, Distribution Groups

Lets you configure which types of groups should be monitored.

 

Event Log 32 n t

Event IDs

Group Management

 

Windows XP, Windows 2003 and before

631 - 639, 641, 648 - 667

 

Windows Vista, Windows 2008 and later

4727 - 4735, 4737, 4744 - 4763

 

Computer Account Management

 

Computer Account Creation & Deletion

Tracks when computer accounts are added or deleted.

 

Computer Account Modifications

Tracks changes to computer accounts, such as when the password of a computer account is changed.

 

Note: Computer account changes only occur on domain controllers.

 

Event Log 32 n t

Event IDs

Computer Management

 

Windows XP, Windows 2003 and before

645, 646, 647

 

Windows Vista, Windows 2008 and later

4741, 4742, 4743

 

Retrieve Source IP Address and Computer Name

When the logon id contained in the account management event can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.

 

Due to the nature of DNS lookups, this information might not be 100% accurate.