Archived from groups: microsoft.public.win2000.security (
More info?)
OK. Then enable auditing of account management in the Domain Controller Security
Policy and look in the security logs of the domain controllers for Event ID 629. Be
sure to increase the size of the security logs on the domain controllers quite a bit
from default. 10MB would be a good starting point. You can use the filter view in
Event Viewer to narrow down the search for a particular event or use something like
the free Event Comb from Microsoft to scan multiple computer logs for events by
particular criteria. --- Steve
"lara" <anonymous@discussions.microsoft.com> wrote in message
news:2c8001c47e51$e2189890$a301280a@phx.gbl...
> I mean a domain user account (mailbox enabled).
> >-----Original Message-----
> >If you mean local user account then you first need to
> enable auditing of account
> >management and then view the security log for Event ID
> 629. The link below goes into
> >more detail on auditing including specific Event ID's. --
> - Steve
> >
> >http://www.microsoft.com/technet/security/guidance/secmod1
> 44.mspx
> >
> >"lara" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
> >> Hello,
> >>
> >> We would like to know who disabled an account on our
> >> exchange server. Is there an event ID to look for.
> >>
> >>
> >> Thanks
> >>
> >
> >
> >.
> >