Sign in with
Sign up | Sign in
Your question

Who disabled this account?

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
August 9, 2004 3:46:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

We would like to know who disabled an account on our
exchange server. Is there an event ID to look for.


Thanks

More about : disabled account

Anonymous
a b 8 Security
August 9, 2004 11:37:33 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you mean local user account then you first need to enable auditing of account
management and then view the security log for Event ID 629. The link below goes into
more detail on auditing including specific Event ID's. --- Steve

http://www.microsoft.com/technet/security/guidance/secm...

"lara" <anonymous@discussions.microsoft.com> wrote in message
news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
> Hello,
>
> We would like to know who disabled an account on our
> exchange server. Is there an event ID to look for.
>
>
> Thanks
>
Anonymous
a b 8 Security
August 9, 2004 11:37:34 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I mean a domain user account (mailbox enabled).
>-----Original Message-----
>If you mean local user account then you first need to
enable auditing of account
>management and then view the security log for Event ID
629. The link below goes into
>more detail on auditing including specific Event ID's. --
- Steve
>
>http://www.microsoft.com/technet/security/guidance/secm...
44.mspx
>
>"lara" <anonymous@discussions.microsoft.com> wrote in
message
>news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
>> Hello,
>>
>> We would like to know who disabled an account on our
>> exchange server. Is there an event ID to look for.
>>
>>
>> Thanks
>>
>
>
>.
>
Anonymous
a b 8 Security
August 10, 2004 7:05:52 AM

Archived from groups: microsoft.public.win2000.security (More info?)

OK. Then enable auditing of account management in the Domain Controller Security
Policy and look in the security logs of the domain controllers for Event ID 629. Be
sure to increase the size of the security logs on the domain controllers quite a bit
from default. 10MB would be a good starting point. You can use the filter view in
Event Viewer to narrow down the search for a particular event or use something like
the free Event Comb from Microsoft to scan multiple computer logs for events by
particular criteria. --- Steve


"lara" <anonymous@discussions.microsoft.com> wrote in message
news:2c8001c47e51$e2189890$a301280a@phx.gbl...
> I mean a domain user account (mailbox enabled).
> >-----Original Message-----
> >If you mean local user account then you first need to
> enable auditing of account
> >management and then view the security log for Event ID
> 629. The link below goes into
> >more detail on auditing including specific Event ID's. --
> - Steve
> >
> >http://www.microsoft.com/technet/security/guidance/secm...
> 44.mspx
> >
> >"lara" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:2e0c01c47e41$3cf91f70$a501280a@phx.gbl...
> >> Hello,
> >>
> >> We would like to know who disabled an account on our
> >> exchange server. Is there an event ID to look for.
> >>
> >>
> >> Thanks
> >>
> >
> >
> >.
> >
!