Re: How to enable Auditing to trace who disabled user's account.



Enable auditing of account management in Domain Controller Security Policy
and look for account management evens in the security logs of the domain
controllers such as for Event ID 629 as shown below as an example that I
generated on my XP Pro computer. The free Event Comb from Microsoft can make
it easy to search the security logs on domain controllers for specific Event
IDs. If you mean NT4.0 domain then there is no Domain Controller Security
Policy but you can enable auditing on the NT4.0 PDC which is the only server
in the domain that would show such events. --- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 629
Date: 1/20/2006
Time: 11:41:22 AM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
User Account Disabled:
Target Account Name: Darth
Target Domain: STEVE-XP
Target Account ID: STEVE-XP\Darth
Caller User Name: Steve
Caller Domain: STEVE-XP
Caller Logon ID: (0x0,0x1208F)


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



"B" <B@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BE5A17A2-9DEB-4578-8464-3A3F93CA8E7D@xxxxxxxxxxxxxxxx
>I would like to know how to enable Auditing to trace who disabled user's
> account in NT Domain. Can anybody help? Thank you


.



Relevant Pages

  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: disable users while user is logged into the domain
    ... That article i read more and more before, but it does not state anything about "disabling" an account. ... Assigning an account lockout, which a domain controller performs to ... Changing the password on a domain controller computer account. ... The PDC emulator receives urgent replication of account lockouts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: disable users while user is logged into the domain
    ... Please check the following link for more information concerning urgent replication. ... How the Active Directory Replication Model Works: ... Assigning an account lockout, which a domain controller performs to prohibit a user from logging on after a certain number of failed attempts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: More than one Administrator Account and Reinstalling OS on a D
    ... Some one has created a regular user account and may added that one to ... There is only one built-in administrator peer domain. ... FSMO roles are actually supposed to be transferred automatically during ... When you remove an existing Domain Controller within Active Directory, ...
    (microsoft.public.win2000.active_directory)
  • Re: Security Breach in AD! Help!
    ... I have set up auditing of account logon and account management, ... still allowed to create a user and add the user to the built in admin group ... passwords, but all security updates have been applied. ... > success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)