Filter audit events (user and group)
When the auditing on domain controllers is enabled, the security log quickly grows in size (depending on your settings). When you have 200.000 records and need to quickly filter the security log for a specific event it’s usefull to know a few Event ID’s for user- and groupobjects .
In the following table the most common events for the user objects are displayed :
| Event ID | Description |
| 624 | User account created |
| 626 | User account enabled |
| 627 | Attempt to change password |
| 628 | Administrator has changed a password |
| 629 | Account disabled |
| 630 | User account deleted |
| 642 | Change of account properties |
| 644 | User-account locked |
| 671 | User-account un-locked |
In the following table the most common events for the group objects are displayed :
| Type | Scope | Created | Changed | Deleted | Member | ||
| Added | Removed | ||||||
| Security | |||||||
| Local | 635 | 641 | 638 | 636 | 637 | ||
| Global | 631 | 639 | 634 | 632 | 633 | ||
| Universal | 658 | 659 | 662 | 660 | 661 | ||
| Distribution | |||||||
| Local | 648 | 649 | 652 | 650 | 651 | ||
| Global | 653 | 654 | 657 | 655 | 656 | ||
| Universal | 663 | 664 | 667 | 665 | 666 |
Comments
Post a comment
