Who disabled this account?

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

We would like to know who disabled an account on our
exchange server. Is there an event ID to look for.


Thanks
3 answers Last reply
More about disabled account
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    If you mean local user account then you first need to enable auditing of account
    management and then view the security log for Event ID 629. The link below goes into
    more detail on auditing including specific Event ID's. --- Steve

    http://www.microsoft.com/technet/security/guidance/secmod144.mspx

    "lara" <anonymous@discussions.microsoft.com> wrote in message
    news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
    > Hello,
    >
    > We would like to know who disabled an account on our
    > exchange server. Is there an event ID to look for.
    >
    >
    > Thanks
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    I mean a domain user account (mailbox enabled).
    >-----Original Message-----
    >If you mean local user account then you first need to
    enable auditing of account
    >management and then view the security log for Event ID
    629. The link below goes into
    >more detail on auditing including specific Event ID's. --
    - Steve
    >
    >http://www.microsoft.com/technet/security/guidance/secmod1
    44.mspx
    >
    >"lara" <anonymous@discussions.microsoft.com> wrote in
    message
    >news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
    >> Hello,
    >>
    >> We would like to know who disabled an account on our
    >> exchange server. Is there an event ID to look for.
    >>
    >>
    >> Thanks
    >>
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    OK. Then enable auditing of account management in the Domain Controller Security
    Policy and look in the security logs of the domain controllers for Event ID 629. Be
    sure to increase the size of the security logs on the domain controllers quite a bit
    from default. 10MB would be a good starting point. You can use the filter view in
    Event Viewer to narrow down the search for a particular event or use something like
    the free Event Comb from Microsoft to scan multiple computer logs for events by
    particular criteria. --- Steve


    "lara" <anonymous@discussions.microsoft.com> wrote in message
    news:2c8001c47e51$e2189890$a301280a@phx.gbl...
    > I mean a domain user account (mailbox enabled).
    > >-----Original Message-----
    > >If you mean local user account then you first need to
    > enable auditing of account
    > >management and then view the security log for Event ID
    > 629. The link below goes into
    > >more detail on auditing including specific Event ID's. --
    > - Steve
    > >
    > >http://www.microsoft.com/technet/security/guidance/secmod1
    > 44.mspx
    > >
    > >"lara" <anonymous@discussions.microsoft.com> wrote in
    > message
    > >news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
    > >> Hello,
    > >>
    > >> We would like to know who disabled an account on our
    > >> exchange server. Is there an event ID to look for.
    > >>
    > >>
    > >> Thanks
    > >>
    > >
    > >
    > >.
    > >
Ask a new question

Read More

Security Exchange Server Microsoft Windows