Navigation:  Monitoring with EventSentry > Compliance Tracking >

Policy Change Tracking

 Top  Previous  Next

Policy Change Tracking intercepts various events related to policy changes, such as the change of a domain password policy or the assignment of a user right.

 

Policy Changes

Tracks all policy changes, including:

 

Domain Policy Changes (e.g. password policy changes)
Audit Policy Changes
Kerberos Policy Changes

 

Event Log 32 n t

Event IDs

Policy Changes

 

Windows NT, Windows 2000, Windows XP, Windows 2003

612, 617, 643

 

Windows Vista, Windows 2008

4719, 4713, 4739

 

User Rights Changes

Tracks when user rights are assigned to or removed from user accounts, e.g. the "Create a pagefile" right.

 

Event Log 32 n t

Event IDs

User Rights Changes

 

Windows NT, Windows 2000, Windows XP, Windows 2003

608, 609

 

Windows Vista, Windows 2008

4704, 4705

 

Logon Rights Changes

Tracks when logon rights are granted or removed from user accounts, e.g. the "Logon as a service" right.

 

Event Log 32 n t

Event IDs

Logon Rights Changes

 

Windows NT, Windows 2000, Windows XP, Windows 2003

621, 622

 

Windows Vista, Windows 2008

4717, 4718

 

Trust Relationship Changes

Tracks all changes to trust relationships, including the creation, modification and removal of trust relationships.

 

Event Log 32 n t

Event IDs

Trust Relationship Changes

 

Windows NT, Windows 2000, Windows XP, Windows 2003

610, 611, 620

 

Windows Vista, Windows 2008

4706, 4707, 4716

 

Retrieve Source IP Address and Computer Name

When the logon id contained in the monitored event can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.

 

Due to the nature of DNS lookups, this information should be used with caution and might not be 100% accurate.