Account management events audit !!

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I've been auditing multiple events (System Events ,
Policy Changes , Logon Events , but specially all events
referents to Account management events like (User Account
create, User Account Deleted , etc ) However , I applied
the auditing to the default group everyone on Defaul
Domain Controller Policy , to check specially all changes
made by users with domain admin rights. But at this moment
they are changing users -passwords - deleting users and -
I don't receive any event id; for instance (ID:624-627-630)
at the moment they applied any change on the DC.

I would like to know what is my misconfiguration or I need
more configuartion or the default group it is not applied
right way ?

I will thanks any comment !!!
2 answers Last reply
More about account management events audit
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    You probably have no users in the Default Domain Controllers OU (Only domain
    controllers). Put the auditing on an OU that contains users -or- put the
    auditing on the default domain policy. That should take care of the
    problem.

    --

    Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "fex" <anonymous@discussions.microsoft.com> wrote in message
    news:0dcc01c4d5a6$4888f880$a501280a@phx.gbl...
    >
    > Hello,
    >
    > I've been auditing multiple events (System Events ,
    > Policy Changes , Logon Events , but specially all events
    > referents to Account management events like (User Account
    > create, User Account Deleted , etc ) However , I applied
    > the auditing to the default group everyone on Defaul
    > Domain Controller Policy , to check specially all changes
    > made by users with domain admin rights. But at this moment
    > they are changing users -passwords - deleting users and -
    > I don't receive any event id; for instance (ID:624-627-630)
    > at the moment they applied any change on the DC.
    >
    > I would like to know what is my misconfiguration or I need
    > more configuartion or the default group it is not applied
    > right way ?
    >
    > I will thanks any comment !!!
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I applied the audit to default domain policy -I created
    users, deleted users moved rights and after all those
    changes i can't see any event id (624-625-630)

    Thanks any comment !!

    >-----Original Message-----
    >You probably have no users in the Default Domain
    Controllers OU (Only domain
    >controllers). Put the auditing on an OU that contains
    users -or- put the
    >auditing on the default domain policy. That should take
    care of the
    >problem.
    >
    >--
    >
    >Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
    >
    >This posting is provided "AS IS" with no warranties, and
    confers no rights.
    >
    >
    >
    >"fex" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:0dcc01c4d5a6$4888f880$a501280a@phx.gbl...
    >>
    >> Hello,
    >>
    >> I've been auditing multiple events (System Events ,
    >> Policy Changes , Logon Events , but specially all events
    >> referents to Account management events like (User
    Account
    >> create, User Account Deleted , etc ) However , I applied
    >> the auditing to the default group everyone on Defaul
    >> Domain Controller Policy , to check specially all
    changes
    >> made by users with domain admin rights. But at this
    moment
    >> they are changing users -passwords - deleting users
    and -
    >> I don't receive any event id; for instance (ID:624-627-
    630)
    >> at the moment they applied any change on the DC.
    >>
    >> I would like to know what is my misconfiguration or I
    need
    >> more configuartion or the default group it is not
    applied
    >> right way ?
    >>
    >> I will thanks any comment !!!
    >
    >
    >.
    >
Ask a new question

Read More

Management Events Active Directory Windows