Audit User Account Management
Applies To: Windows 7, Windows Server 2008 R2
This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
A user account password is set or changed.
Security identifier (SID) history is added to a user account.
The Directory Services Restore Mode password is set.
Permissions on accounts that are members of administrators groups are changed.
Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing user accounts.
Event volume: Low
Default: Success
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
| Event ID | Event message |
|---|---|
4720 |
A user account was created. |
4722 |
A user account was enabled. |
4723 |
An attempt was made to change an account's password. |
4724 |
An attempt was made to reset an account's password. |
4725 |
A user account was disabled. |
4726 |
A user account was deleted. |
4738 |
A user account was changed. |
4740 |
A user account was locked out. |
4765 |
SID History was added to an account. |
4766 |
An attempt to add SID History to an account failed. |
4767 |
A user account was unlocked. |
4780 |
The ACL was set on accounts which are members of administrators groups. |
4781 |
The name of an account was changed: |
4794 |
An attempt was made to set the Directory Services Restore Mode. |
5376 |
Credential Manager credentials were backed up. |
5377 |
Credential Manager credentials were restored from a backup. |