Windows security event log library

4768

A Kerberos authentication ticket (TGT) was requested.
This event is generated every time a user's credentials are checked out. It is logged only on domain controllers for both success and failure events.

4771

Kerberos pre-authentication failed.
This event is generated every time a request for a TGT fails (e.g., due to a bad or expired password). It is logged only on domain controllers and only for failure events.

4720

A user account was created.
This event is generated every time a new user account is created. It is logged on domain controllers, member servers, and workstations.

4722

A user account was enabled.
This event is generated every time a user or computer account is enabled. For user objects, it is logged on domain controllers, member servers, and workstations. For computers, it is logged only on domain controllers.

4723

An attempt was made to change an account's password.
This event is generated every time a user tries to change their own password. For user objects, it is logged on domain controllers, member servers, and workstations.

4724

An attempt was made to reset an account's password.
This event is generated every time a user tries to change the password on another account. For user objects, it is logged on domain controllers, member servers, and workstations.

4725

A user account was disabled.
This event is generated every time a user or computer account is disabled. For user objects, it is logged on domain controllers, member servers, and workstations. For computers, it is logged only on domain controllers.

4726

A user account was deleted.
This event is generated every time a user object is deleted. It is logged on domain controllers, member servers, and workstations

4727

A security-enabled global group was created.
This event is generated every time a user creates a security group with global scope. It is logged only on domain controllers.

4728

A member was added to a security-enabled global group.
This event is generated every time a user, computer, or group is added to a security group with global scope. It is logged only on domain controllers.

4744

A security-disabled local group was created.
This event is generated every time a user creates a distribution group with domain local scope. It is logged only on domain controllers.

4745

A security-disabled local group was changed.
This event is generated every time a user modifies a distribution group with domain local scope. It is logged only on domain controllers.

4746

A member was added to a security-disabled local group.
This event is generated every time a user, computer, or group is added to a distribution group with domain local scope. It is logged only on domain controllers.

4747

A member was removed from a security-disabled local group.
This event is generated every time a user, computer, or group is removed from a distribution group with domain local scope. It is logged only on domain controllers.

4748

A security-disabled local group was deleted.
This event is generated every time a distribution group with domain local scope is deleted. It is logged only on domain controllers.

4749

A security-disabled global group was created.
This event is generated every time a user creates a distribution group with global scope. It is logged only on domain controllers.

4750

A security-disabled global group was changed.
This event is generated every time a user modifies a distribution group with global scope. It is logged only on domain controllers.

4751

A member was added to a security-disabled global group.
This event is generated every time a user, computer, or group is added to a distribution group with global scope. It is logged only on domain controllers.

4752

A member was removed from a security-disabled global group.
This event is generated every time a user, computer, or group is removed from a distribution group with global scope. It is logged only on domain controllers.

4753

A security-disabled global group was deleted.
This event is generated every time a distribution group with global scope is deleted. It is logged only on domain controllers.

4803

The screen saver was dismissed.
This event is generated every time a user dismisses their screen saver. It is logged on domain controllers, member servers, and workstations.

4656

A handle to an object was requested.
This event is generated every time specific access is requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. It is logged on domain controllers, member servers, and workstations.

4660

An object was deleted.
This event is generated every time an Active Directory object is deleted. It is logged on domain controllers, member servers, and workstations.

4663

An attempt was made to access an object.
This event is generated every time an Active Directory object is accessed, and it logs the type of access used. It is logged on domain controllers, member servers, and workstations.

4670

Permissions on an object were changed.
This event is generated every time a user modifies the access control list of an Active Directory object. It is logged on domain controllers, member servers, and workstations.

4907

Auditing settings on an object were changed.
This event is generated every time the SACL of an object, such as a file or a registry key, is changed. It is logged on domain controllers, member servers, and workstations.

560

A handle to an object was requested.
This event is generated every time specific access is requested for an object, such as a file system, kernel, registry object, or a file system object on a removable storage device. It is logged on domain controllers, member servers, and workstations.

563

An object was opened for deletion.
This event is generated every time an object is accessed successfully with the intention of deleting it. It is logged on domain controllers, member servers, and workstations.

564

An object was deleted.
This event is generated every time an Active Directory object is successfully deleted. It is logged on domain controllers, member servers, and workstations.

567

An attempt was made to access an object.
This event is generated every time a user or program attempts to open an Active Directory object. It is logged on domain controllers, member servers, and workstations.

4648

A logon was attempted using explicit credentials.
This event is generated every time a process attempts to log on to an account by explicitly specifying that account's credentials. It is logged on domain controllers, member servers, and workstations.

6272

Network Policy Server (NPS) granted access to a user.
This event is generated every time NPS grants access to a user. It is logged only on NPS.

6273

NPS denied access to a user.
This event is generated every time NPS denies access to a user. It is logged only on NPS.

6274

NPS discarded the request for a user.
This event is generated every time NPS discards a user’s request because the structure of the request does not comply with the RADIUS protocol. It is logged only on NPS.

6275

NPS discarded the accounting request for a user.
This event is generated every time NPS discards an accounting request from a RADIUS client because the structure of the request does not comply with the RADIUS protocol. It is logged only on NPS.

6276

NPS quarantined a user.
This event is generated every time NPS quarantines a user for multiple authentication failures. It is logged only on NPS.

6277

NPS granted access to a user, but put the user on probation because the host did not meet the defined health policy.
This event is generated every time NPS puts a user on probation after granting access because the host could not meet the defined health policy. It is logged only on NPS.

6278

NPS granted access to a user because the host met the defined health policy.
This event is generated every time NPS grants access to a user since the host has met the defined health policy. It is logged only on NPS.

6279

NPS locked the user account due to repeat failed authentication attempts.
This event is generated every time NPS locks a user account due to repeat failed authentication attempts. It is logged only on NPS.

6280

NPS unlocked the user account.
This event is generated every time NPS unlocks a user account after the account lockout. It is logged only on NPS.

303

A client disconnected from the resource.
This event is generated every time a user on a client computer is disconnected from the network resource. It is logged only on the Terminal Services Gateway (TSG).

304

The user met the connection authorization policy and resource authorization policy requirements, but could not connect to the resource.
This event is generated every time the user is unable to connect to the network resource even after meeting the connection and resource authorization policies. It is logged only on the Terminal Services Gateway (TSG).

412

AD FS token issued.
This event is generated every time AD FS issues a trusted token for authenticating a user based on a set of claims. It is logged only on a federation server [a Windows server where Active Directory Federation Services (AD FS) is installed].

500

Issued identity.
This event is generated every time a unique identity is issued to identify configuration objects and partner network addresses. It is logged only on a federation server.

501

Caller identity.
This event is generated every time a token issuance failure occurs for that caller identity. It is logged only on a federation server.

299

Token issued.
This event is generated every time a token is issued by AD FS for having the necessary claims to authorize user access to the application. It is logged only on a federation server.

403

Caller identity.
This event is generated every time the DNS server cannot create a Transmission Control Protocol (TCP) socket. It is logged only on a federation server.

1200

Application token success.
This event is generated every time an application token is issued successfully by AD FS for an authentication request. It is logged only on a federation server.

1201

Application token failure.
This event is generated every time an application token issuance by AD FS fails for an authentication request. It is logged only on a federation server.

2093

FSMO role not responding.
This event is generated every time the remote server, that is, the Flexible Single Master Operations (FSMO), is unresponsive. It is logged only on domain controllers.

1837

An attempt to transfer the operations master role failed.
This event is generated every time an attempt to transfer the FSMO role by the user fails. It is logged only on domain controllers.

2089

This directory partition has not been backed up since at least the following number of days.
This event is generated every time a backup hasn't been created since the enabled backup latency threshold. It is logged only on domain controllers.

2889

Lightweight Directory Access Protocol (LDAP) bind.
This event is generated every time a client initiates an LDAP bind without requesting the verification that the directory server is not configured to reject. It is logged only on domain controllers.

4769

A Kerberos service ticket was requested.
This event is generated every time a user requests access to a network resource, such as a computer, which results in the Key Distribution Center (KDC) getting a Kerberos Ticket Granting Service (TGS) ticket request for authentication. It is logged only on domain controllers.

4672

Special privileges assigned to new logon.
This event is generated every time sensitive privileges are assigned to a new logon session. It is logged on domain controllers, member servers, and workstations.

4908

The special groups logon table was modified.
This event is generated every time a security identifier (SID) is added to a special group for auditing purposes. It is logged on domain controllers, member servers, and workstations.

4798

A user's local group membership was enumerated.
This event is generated every time a process enumerates the list of security groups that a user belongs to. It is logged on member servers and workstations.

4729

A member was removed from a security-enabled global group.
This event is generated when a user, group, or computer is removed from a security-enabled global group. It is logged only on domain controllers.

4730

A security-enabled global group was deleted.
This event is generated when a security-enabled global group is deleted. It is logged only on domain controllers.

4731

A security-enabled local group was created.
This event is generated when a security-enabled local group is created. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.

4732

A member was added to a security-enabled local group.
This event is generated when users, groups, or computers are added to a security-enabled local group. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.

4733

A member was removed from a security-enabled local group.
This event is generated when users, groups, or computers are removed from a security-enabled local group. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.

4734

A security-enabled local group was deleted.
This event is generated when a security-enabled local group is deleted. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.

4735

A security-enabled local group was changed.
This event is generated when a security-enabled local group is modified. It is logged on domain controllers for domain local groups, or on member computers for local SAM groups.

4737

A security-enabled global group was changed.
This event is generated when a security-enabled global group is changed. It is logged only on domain controllers.

4738

A user account was changed.
This event is generated when the attributes of a user object are modified. It is logged on domain controllers for domain accounts, and on member computers for local accounts.

4739

Domain Policy was changed.
This event is generated when an Active Directory Domain Policy is changed. It is logged on domain controllers and member computers.

4759

A security-disabled universal group was created.
This event is generated when a universal distribution group is created. It is logged only on domain controllers.

4760

A security-disabled universal group account was changed.
This event is generated when a universal distribution group is changed. It is logged only on domain controllers.

4761

A member was added to a security-disabled universal group.
This event is generated when Active Directory objects, such as users, groups, or computers, are added to a universal distribution group. It is logged only on domain controllers.

4762

A member was removed from a security-disabled universal group.
This event is generated when Active Directory objects, such as users, groups, or computers, are removed from a universal distribution group. It is logged only on domain controllers.

4763

A security-disabled universal group was deleted.
This event is generated when a universal distribution group is deleted. It is logged only on domain controllers.

4764

A group type was changed.
This event is generated when a group type or scope is changed. It is logged only on domain controllers.

4781

The name of an account was changed.
This event is generated when the name of a user or computer account (sAMAccountName attribute) is changed. It is logged only on domain controllers for computer accounts, and on domain controllers and member computers for user accounts.

5137

A directory service object was created.
This event is generated when an Active Directory object is created, provided proper SACLs are configured for the parent object. It is logged only on domain controllers.

5139

A directory service object was moved.
This event is generated when an Active Directory object is moved from one OU to another. It is logged only on domain controllers.

5141

A directory service object was deleted.
This event is generated when an Active Directory object is deleted. It is logged on domain controllers and member computers.

4659

A handle to an object was requested with intent to delete.
This event is generated when an installed patch requires the replacement of a file opened by Windows. It is logged on domain controllers and member computers.

6416

A new external device was recognized by the system.
This event is generated when a new external device, such as a USB, is connected to the system. It is logged on servers and workstations.

4608

Windows is starting up.
This event is generated when a Windows machine is started. It is logged on domain controllers and member computers.

4609

Windows is shutting down.
This event is generated when a Windows machine is shutting down. It is logged on domain controllers and member computers.

1102

The audit log was cleared.
This event is generated whenever the security log is cleared. It is logged on domain controllers and member computers.

4614

A notification package has been loaded by the Security Account Manager.
This event is generated when a user attempts to change their password. It is logged on domain controllers and member computers.

4616

The system time was changed.
This event is generated when the system time is changed. It is logged on domain controllers and member computers.

4704

A user right was assigned.
This event is generated when a user is assigned privileges. It is logged only on domain controllers.

4705

A user right was removed.
This event is generated when a user's privileges are removed. It is logged only on domain controllers.

4719

System audit policy was changed.
This event is generated when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. It is logged on domain controllers and member computers.

4662

An operation was performed on an object.
This event is generated when a user accesses an Active Directory object. It is logged only on domain controllers.

5140

A network share object was accessed.
This event is generated when a network share object is accessed. It is logged on domain controllers and member computers.

5142

A network share object was added.
This event is generated whenever a network share object is added. It is logged on domain controllers and member computers.

5143

A network share object was modified.
This event is generated whenever a network share object is modified. It is logged on domain controllers and member computers.

5144

A network share object was deleted.
This event is generated whenever a network share object is deleted. It is logged on domain controllers and member computers.

9999

An object was renamed.
This event is generated when an Active Directory object is renamed. It is logged on domain controllers and member computers.

521

Unable to log events in the security log.
This event is generated when Windows is unable to write events to the security event log. It is logged on domain controllers and member computers.

4697

A service was installed in the system.
This event is generated when a new service is installed on a system. It is logged on domain controllers and member computers.

1100

The event logging service has shut down.
This event is generated during a normal system shutdown, and when the Windows Event Log service shuts down. It is logged on domain controllers and member computers.

1202

Fresh credential validation success.
This event is generated when fresh credentials are validated successfully by AD FS. It is logged on domain controllers and member computers.

1203

Fresh credential validation error.
This event is generated when fresh credential validation fails in AD FS. It is logged on domain controllers and member computers.

1210

Extranet lockout.
This event is generated when a user is locked out of, or when a locked out user attempts to log in to, AD FS. It is logged on domain controllers and member computers.

516

Extranet lockout.
This event is generated when a user account is locked out due to too many bad password submissions to AD FS. It is logged on domain controllers and member computers.

410

Extranet lockout.
This event is generated right after an AD FS authentication request is initiated, and contains context headers. It is logged on domain controllers and member computers.

411

Extranet lockout.
This AD FS event is generated when token validation fails. It is logged on domain controllers and member computers.

4618

A monitored security event pattern has occurred.
This event is generated when Windows is configured to generate alerts per the Common Criteria security audit analysis requirements and an auditable event pattern occurs. It is logged on domain controllers and member computers.

4649

A replay attack was detected.
This event is generated when the same packets are sent by a misconfigured network device between the server and the client. It is logged on domain controllers and member computers.

4765

SID History was added to an account.
This event is generated when SID History is added to an account in Active Directory. It is logged on domain controllers and member computers.

4766

An attempt to add SID History to an account failed.
This event is generated when there is an attempt to add SID History to an account. It is logged on domain controllers and member computers.

4799

A security-enabled local group membership was enumerated.
This event is generated when a process enumerates a user's local security groups on a computer or device. It is logged on domain controllers and member computers.

5378

The requested credentials delegation was disallowed by policy.
This event is generated when the CredSSP delegation for a WinRM double-hop session is not set properly. It is logged on domain controllers and member computers.

5633

A request was made to authenticate to a wired network.
This event is generated when a network adapter connects to a new wired network and an 802.1x authentication attempt is made for that network. It is logged on domain controllers and member computers.

5632

A request was made to authenticate to a wireless network.
This event is generated when a network adapter connects to a new wireless network and an 802.1x authentication attempt is made for that network. It is logged on domain controllers and member computers.

4610

An authentication package has been loaded by the Local Security Authority.
This event is generated at startup for each authentication package on the system. It is logged on domain controllers and member computers.

4611

A trusted logon process has been registered with the Local Security Authority.
This event is generated when a logon process is registered with the Local Security Authority to submit trusted logon requests. It is logged on domain controllers and member computers.

4622

A security package has been loaded by the Local Security Authority.
This event is generated when a security package is loaded by the Local Security Authority. It is logged on domain controllers and member computers.

7045

A new service was installed in the system.
A new service was installed in the system.

4740

A user account was locked out.
This event is generated when a user account gets locked out. It is logged on domain controllers, member servers, and workstations.

4741

A computer account was created.
This event is generated when a new computer object is created. It is logged only on domain controllers.

4742

A computer account was changed
This event is generated when a computer object is changed. It is logged only on domain controllers.

4743

A computer account was deleted.
This event is generated when a computer object is deleted. It is logged only on domain controllers.

4754

A security-enabled universal group was created.
This event is generated when a universal security group is created. It is logged only on domain controllers.

4755

A security-enabled universal group was changed.
This event is generated when a universal security group is changed. It is logged only on domain controllers.

4756

A member was added to a security-enabled universal group.
This event is generated when a member is added to a universal security group. It is logged only on domain controllers.

4757

A member was removed from a security-enabled universal group.
This event is generated when a member is removed from a universal security group. It is logged only on domain controllers.

4758

A security-enabled universal group was deleted.
This event is generated when a universal security group is deleted. It is logged only on domain controllers.

4767

A user account was unlocked.
This event is generated when a user account gets unlocked (when the Unlock Account checkbox on the user's account tab is selected). It is logged on domain controllers, member servers, and workstations.

5136

A directory service object was modified.
This event is generated when an Active Directory object is modified. It is logged only on domain controllers.

5138

A directory service object was undeleted.
This event is generated when an Active Directory object is undeleted. It is logged only on domain controllers.

4624

An account successfully logged on.
This event is generated when there is a successful logon to a local computer. It is logged on domain controllers, member servers, and workstations.

4625

An account failed to log on.
This event is generated when there is a failed attempt to log on to a local computer. It is logged on domain controllers, member servers, and workstations.

4800

A workstation was locked.
This event is generated when a workstation is locked (when a user manually locks their workstation, or when the workstation automatically locks itself after a period of inactivity). It is logged only on workstations.

4801

A workstation was unlocked.
This event is generated when a workstation is unlocked. It is logged only on workstations.

4647

User initiated logoff.
This event is generated when logoff is initiated. It is logged on domain controllers, member servers, and workstations.

4778

A session was reconnected to a Window Station.
This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching. It is logged on domain controllers, member servers, and workstations.

4779

A session was disconnected from a Window Station.
This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching. It is logged on domain controllers, member servers, and workstations.

4802

The screen saver was invoked.
This event is generated when a workstation activates the screen saver in response to a period of inactivity. It is logged only on workstations.

4714

Encrypted data recovery policy was changed.
This event is generated when a computer's Security Settings\Public Key Policies\Encrypting File System data recovery agent policy is modified (either via Local Security Policy or Group Policy in Active Directory). It is logged on domain controllers, member servers, and workstations.

4717

System security access was granted to an account.
This event is generated when a logon right (such as "Access this computer from the network") is granted to an account. It is logged on domain controllers, member servers, and workstations.

4718

System security access was removed from an account.
This event is generated when a logon right (such as "Access this computer from the network") is removed from an account. It is logged on domain controllers, member servers, and workstations.

4688

A new process has been created.
This event is generated when a new process starts. It is logged on domain controllers, member servers, and workstations.

4689

A process has exited.
This event is generated when a process ends. It is logged on domain controllers, member servers, and workstations.

4698

A scheduled task was created.
This event is generated when a new scheduled task is created. It is logged on domain controllers, member servers, and workstations.

4699

A scheduled task was deleted.
This event is generated when a scheduled task is deleted. It is logged on domain controllers, member servers, and workstations.

4700

A scheduled task was enabled.
This event is generated when a scheduled task is enabled. It is logged on domain controllers, member servers, and workstations.

4701

A scheduled task was disabled.
This event is generated when a scheduled task is disabled. It is logged on domain controllers, member servers, and workstations.

4702

A scheduled task was updated.
This event is generated when a scheduled task is updated or changed. It is logged on domain controllers, member servers, and workstations.

1101

Audit events have been dropped by the transport.
This event is generated when restarting Windows after a dirty shutdown. It is logged on domain controllers, member servers, and workstations

1104

The security log is now full.
This event is generated when the Windows security log becomes full. It is logged on domain controllers, member servers, and workstations.

1105

Event log automatic backup.
This event is generated when the Windows security log becomes full and a new event log file is created (for example, when the maximum size of Security Event Log file is reached and event log retention method has been set to “Archive the log when full, do not overwrite events”). It is logged on domain controllers, member servers, and workstations.

1108

The event logging service encountered an error.
This event is generated when the event logging service encounters an error while processing an incoming event. It is logged on domain controllers, member servers, and workstations.

201

Task Scheduler successfully completed a task.
This event is generated when the Task Scheduler completes a task. It is logged on domain controllers, member servers, and workstations.

202

Task Scheduler failed to complete a task.
This event is generated when the Task Scheduler fails to complete a task. It is logged on domain controllers, member servers, and workstations.

203

Task Scheduler failed to launch a task.
This event is generated when the Task Scheduler fails to launch a task. It is logged on domain controllers, member servers, and workstations.

204

Network Access Protection (NAP) policies were not met, so the user was not authorized to connect to the TS Gateway server.
This event is generated when NAP policies are not met, so the user is not authorized to connect to the TS Gateway server. It is logged only on Gateway servers.

301

Resource authorization policy requirements were not met, so the user was not authorized to access the TS Gateway server.
This event is generated when resource authorization policy requirements are not met, so the user is not authorized to access the TS Gateway server. It is logged only on Gateway servers.

302

User connected to the TS Gateway server.
This event is generated when the user connects to the TS Gateway server. It is logged only on Gateway servers.

4794

An attempt was made to set the Directory Services Restore Mode administrator password.
This event is generated when the Directory Services Restore Mode (DSRM) administrator password is changed. It is logged only on domain controllers.

4897

Role separation enabled.
This event is generated when an AD CS server starts and whenever role separation is actually changed. It is logged only on Active Directory Certificate Services (AD CS) servers.

4964

This event is generated when an AD CS server starts and whenever role separation is actually changed. It is logged only on Active Directory Certificate Services (AD CS) servers.
This event is generated when an account that is a member of any defined Special Group logs on. It is logged on domain controllers, member servers, and workstations.

5124

A security setting was updated on OCSP Responder Service.
This event is generated when a security setting is updated on OCSP Responder Service. It is logged only on OCSP responders/AD CS servers.

2887

LDAP signing.
This event is generated when a client computer attempts an unsigned LDAP bind. It is logged only on domain controllers.

1644

LDAP searches.
This event is generated when an LDAP search made by a client against the directory breaches the inexpensive and/or inefficient search thresholds (it will only be logged if you set the Field Engineering reg key to 5 or higher). It is logged only on domain controllers.

1643

Number of LDAP searches.
This event logs the number of LDAP searches performed in a time interval and each time garbage collection is run on a domain controller (it will only be logged if you set the Field Engineering reg key to 4 or higher). It is logged only on domain controllers.

1317

LDAP connection timed out.
This event is generated when the local domain controller disconnects the LDAP connection from the specified network address because of a time-out. It is logged only on domain controllers.

1458

FSMO role transferred.
This event is generated when an FSMO role is transferred from one domain controller to another. It is logged only on domain controllers.

2092

FSMO replication.
This event is generated when a server is the owner of an FSMO role but does not consider it valid (replication errors prevent validation of the role). It is logged only on domain controllers.

4713

Kerberos policy was changed.
This event is generated when the Kerberos policy is changed. It is logged only on domain controllers.

6005

The Event Log service was started.
This event is generated when the Event Log service is started. It is logged on domain controllers, member servers, and workstations.

6006

The Event Log service was stopped.
This event is generated when the Event Log service is stopped. It is logged on domain controllers, member servers, and workstations.

6008

Unexpected system shutdown.
This event is generated when a system shuts down unexpectedly. It is logged on domain controllers, member servers, and workstations.

1074

System has been shutdown by a process or user.
This event is generated when an application causes the system to restart, or when the user initiates a restart or shutdown. It is logged on domain controllers, member servers, and workstations.

Active Directory auditing

Windows file auditing

NAS device file auditing

Windows server auditing

Workstation auditing

Entra ID auditing

All features →

Help documents

Video zone

Webinars

Product brochures

Case studies

E-books

Awards zone

Study

How tos

Best practices

EVENT ID

Audit Categories:

ADAudit Plus Offers

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

A single pane of glass for complete Active Directory Auditing and Reporting

Identity and access management

Unified service management

Unified endpoint management and security

IT operations management and observability

Security information and event management

Advanced IT analytics

Low-code app development

Cloud solutions for enterprise IT

IT management for MSPs

Active Directory management Manage, track, and secure Active Directory

Identity governance and administrationOrchestrate user identity management and access controls for Zero Trust

Privileged access managementControl and secure privileged access to critical enterprise systems

Enterprise and IT service managementDeliver a consistent employee experience across business functions

Customer service managementBuild a one-stop portal for customers with efficient account management

IT asset managementCentralize and automate the complete IT asset life cycle

SIEM Spot, investigate, and neutralize security threats

Log and compliance managementGain deeper visibility into security events and ensure compliance

Security auditingAudit Active Directory, cloud platforms and files to enhance your security posture

Endpoint management and protection platform (UEM and EPP)Secure and manage endpoints to protect your IT assets effectively

Endpoint managementAchieve intelligent IT device management with zero user intervention

Endpoint securityDefend against threat actors with proactive and reactive measures

Full-stack observability and digital experience monitoringAchieve end-to-end visibility, proactive issue resolution, and enhanced security

Network and server performance monitoringEnsure network, server, and storage reliability with AI-powered insights

IT incident managementEfficiently manage and resolve IT incidents while ensuring transparency

DNS and DHCP managementOptimize IP address and domain management

Cloud cost managementRight-size and take control of your cloud costs

IT analyticsConnect to your IT applications and visualize all facets of your IT

Cloud-native solutions for IT managementMonitor, manage, audit, and secure your multi-cloudand hybrid infrastructure

Business applications for ITBoost productivity and improve team collaboration

Custom solution builderBuild tailor-made apps to automate operations at your organization

Solutions for MSPsGrow your MSP business with scalable and secure IT management solutions

Windows security event log library

EVENT ID

Audit Categories:

ADAudit Plus Offers

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

A single pane of glass for complete Active Directory Auditing and Reporting

Active Directory
management Manage, track, and secure Active Directory

Identity governance
and administrationOrchestrate user identity management and access controls for Zero Trust

Privileged access
managementControl and secure privileged access to critical enterprise systems

Enterprise and IT service
managementDeliver a consistent employee experience across business functions

Customer service
managementBuild a one-stop portal for customers with efficient account management

IT asset
managementCentralize and automate the complete IT asset life cycle

Network and server
performance monitoringEnsure network, server, and storage reliability with AI-powered insights

IT incident
managementEfficiently manage and resolve IT incidents while ensuring transparency

Cloud-native solutions for IT managementMonitor, manage, audit, and secure your multi-cloud
and hybrid infrastructure