Re: How to enable Auditing to trace who disabled user's account.



Enable auditing of account management in Domain Controller Security Policy
and look for account management evens in the security logs of the domain
controllers such as for Event ID 629 as shown below as an example that I
generated on my XP Pro computer. The free Event Comb from Microsoft can make
it easy to search the security logs on domain controllers for specific Event
IDs. If you mean NT4.0 domain then there is no Domain Controller Security
Policy but you can enable auditing on the NT4.0 PDC which is the only server
in the domain that would show such events. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 629
Date: 1/20/2006
Time: 11:41:22 AM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
User Account Disabled:
Target Account Name: Darth
Target Domain: STEVE-XP
Target Account ID: STEVE-XP\Darth
Caller User Name: Steve
Caller Domain: STEVE-XP
Caller Logon ID: (0x0,0x1208F)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



"B" <B@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BE5A17A2-9DEB-4578-8464-3A3F93CA8E7D@xxxxxxxxxxxxxxxx
>I would like to know how to enable Auditing to trace who disabled user's
> account in NT Domain. Can anybody help? Thank you


.