Account management tracking intercepts events related to the creation, modification and deletion of user accounts, groups and computer accounts. Depending on the type of computer this feature is being used, either local or domain accounts will be tracked.
User Account Management
User Creation & Deletion
Tracks when user accounts are created or deleted.
User Account Modifications
Tracks when user accounts are modified, e.g. when a password is set.
User Status Changes
Tracks user status changes, e.g. when a user account is disabled or enabled.
Event IDs |
User Account Management
Windows XP, Windows 2003 and before 624, 626, 628, 629, 630, 642, 644, 671
Windows Vista, Windows 2008 and later 4720, 4722, 4724, 4725, 4726, 4738, 4740, 4767 |
Group Management
Group Addition & Deletion
Tracks when groups are created or deleted.
Group Modifications
Tracks when groups are modified, e.g. when a global group is changed to a universal group.
Group Membership Changes
Tracks changes to the group membership, e.g. when members are added or removed from a group.
Security-Enabled Groups, Distribution Groups
Lets you configure which types of groups should be monitored.
Event IDs |
Group Management
Windows XP, Windows 2003 and before 631 - 639, 641, 648 - 667
Windows Vista, Windows 2008 and later 4727 - 4735, 4737, 4744 - 4763 |
Computer Account Management
Computer Account Creation & Deletion
Tracks when computer accounts are added or deleted.
Computer Account Modifications
Tracks changes to computer accounts, such as when the password of a computer account is changed.
Note: Computer account changes only occur on domain controllers.
Event IDs |
Computer Management
Windows XP, Windows 2003 and before 645, 646, 647
Windows Vista, Windows 2008 and later 4741, 4742, 4743 |
Retrieve Source IP Address and Computer Name
When the logon id contained in the account management event can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.
Due to the nature of DNS lookups, this information might not be 100% accurate.