Share via


Audit Other Account Management Events

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates user account management audit events when:

  • The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.

  • The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.

  • Changes are made to domain policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy or Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.

Note

These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.

Event volume: Low

Default: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event Message Summary

4782

The password hash for an account was accessed.

4793

The Password Policy Checking API was called.