Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

Auditing activity on user account is a staple of security measures in all organizations. Since users have access to various resources on your network, the odds that your organization can face an insider threat is high. So it is important to monitor activity related to user accounts, such as a user being added to a privileged group, or a user account being created or disabled. You can track these changes by setting up an audit policy so you can view events related to user accounts.

This post is designed to quickly summarize everything you need to know about auditing user accounts. You can find information about events related to activity on user accounts on the Microsoft documents as well, but we're going ahead and bringing all the information together so you can properly configure your audit policy. We'll also tell you the benefit of using a premium tool like ADAudit Plus to track events related to user accounts.

How to configure auditing of user account management?

  • Right-click the required GPO in the Group Policy Management console. Select 'Edit' from the menu that appears. This pulls up the Group Policy Management Editor.
  • In this window, you have to set “Audit User Account Management” policy. To do that, navigate to “Computer Configuration” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.
  • Select “Account Management” policy and double-click “Audit User Account Management”’.

Note: You could configure this from the 'Local Policy' settings in the window as well, but it is better that you configure user account management auditing from the 'Advanced Audit Policy' setting. Configuring 'Local Policy' generates a lot more irrelevant events and makes it difficult to track down events that you're actually looking for. Advanced Audit Policy settings, gives you more control over generating exactly the events that you're interested in.

List of events generated by this audit policy setting.

As provided by the official Microsoft documentation, these are the events you can track when this audit policy is configured. This is applicable to Windows 10 and Windows Server 2016 versions.

Events List:

  • 4720(S): A user account was created.
  • 4722(S): A user account was enabled.
  • 4723(S, F): An attempt was made to change an account's password.
  • 4724(S, F): An attempt was made to reset an account's password.
  • 4725(S): A user account was disabled.
  • 4726(S): A user account was deleted.
  • 4738(S): A user account was changed.
  • 4740(S): A user account was locked out.
  • 4765(S): SID History was added to an account.
  • 4766(F): An attempt to add SID History to an account failed.
  • 4767(S): A user account was unlocked.
  • 4780(S): The ACL was set on accounts which are members of administrators groups.
  • 4781(S): The name of an account was changed.
  • 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
  • 4798(S): A user's local group membership was enumerated.
  • 5376(S): Credential Manager credentials were backed up.
  • 5377(S): Credential Manager credentials were restored from a backup.

While all these events are specific to user account management, you will find that some of them (Event IDs 4722, 4725, 4724, and 4781) are also generated for computer accounts.

We also suggest you audit these policies for both 'success' and 'failure', so you can track important "failed" attempts at changing or resetting passwords and logons, for both domain and local accounts.

How ADAudit Plus can help you track events related to user accounts?

Event Viewer is the default native AD tool to view all your events. Although Event Viewer is a great tool, it is hard to look through all the messages and events and find a particular suspicious incident. We suggest opting for a premium solution like ADAudit Plus.

ADAudit Plus is a comprehensive solution that simplifies AD auditing and reporting. It is a one-stop platform that brings together an intuitive user interface, pre-configured reports, and advanced filter options that make it easy for you to track changes to your network, and detect threats immediately. You get a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior.

How to easily track user account related events in ADAudit Plus?

  • Navigate to 'Reports' Tab.
  • Since you're looking for user account related events, choose the 'User Management' tab. You can then navigate to the desired pre-configured reports in this section.
  • Customize the Period to desired time range. You can also define a custom period and save for quick reference.
  • A detailed audit information report is generated for the selected period.
  • Clicking on an event in the bar graph filters the report view, highlighting only the selected event. Advanced filter options help you locate the specific event that you're looking for.

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/.

Download ADAudit Plus

Free, fully functional 30-day trial

    Active directory audit logon failure

Native auditing becoming a little too much?

Try ADAudit Plus to audit, track, and respond to malicious activities happening inside your Windows AD & Azure environment.

Try ADAudit Plus for free

 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Back to Top
 

Boost AD securityand streamline compliance

with UBA-driven insights and actionable reports.

  • Install and generate reports within minutes
  • Troubleshoot
    account lockouts
  • Secure hybrid AD environments
  • Receive real-time security alerts
  • Leverage UBA-powered threat hunting
  • Streamline
    compliance

See ADAudit Plus in action

  •  
     
  • US
By clicking 'Schedule a demo', you agree to processing of personal data according to the Privacy Policy.

Thanks for your interest in ManageEngine ADAudit Plus.

We have received your request for a personalized demo. Our product specialist will get in touch with you shortly. Meanwhile, you can explore the product's capabilities using our online demo.