Account management tracking enumerates local (=non-domain) users and groups from member servers and workstations, and intercepts events related to the creation, modification and deletion of user accounts, groups and computer accounts. Depending on the type of computer this feature is being used, either local or domain accounts will be tracked.
Local User & Group Inventory
Provides an inventory of all local users and groups (and its members) from member servers and workstations. The data can be queried from the web reports.
|
Inventory of domain users and groups requires ADMonitor. |
User Account Management
User Creation & Deletion
Tracks when user accounts are created or deleted.
User Account Modifications
Tracks when user accounts are modified, e.g. when a password is set.
User Status Changes
Tracks user status changes, e.g. when a user account is disabled or enabled.
Event IDs |
User Account Management 4720, 4722, 4724, 4725, 4726, 4738, 4740, 4767
(legacy: 624, 626, 628, 629, 630, 642, 644, 671) |
Group Management
Group Addition & Deletion
Tracks when groups are created or deleted.
Group Modifications
Tracks when groups are modified, e.g. when a global group is changed to a universal group.
Group Membership Changes
Tracks changes to the group membership, e.g. when members are added or removed from a group.
Security-Enabled Groups, Distribution Groups
Lets you configure which types of groups should be monitored.
Computer Account Management
Computer Account Creation & Deletion
Tracks when computer accounts are added or deleted.
Computer Account Modifications
Tracks changes to computer accounts, such as when the password of a computer account is changed.
Note: Computer account changes only occur on domain controllers.
Retrieve Source IP Address and Computer Name
When the logon id contained in the account management event can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.
Due to the nature of DNS lookups, this information might not be 100% accurate.
