Continuously queries the current audit policy so that the current audit status of every monitored system is available in the web reports. Policy Change Tracking also intercepts various events related to policy changes, such as the change of a domain password policy or the assignment of a user right.
Policy Changes
Tracks all policy changes, including:
•Domain Policy Changes (e.g. password policy changes)
•Audit Policy Changes
•Kerberos Policy Changes
Event IDs |
Policy Changes
Windows 2003 and earlier 612, 617, 643
Windows Vista, Windows 2008 and later 4719, 4713, 4739 |
User Rights Changes
Tracks when user rights are assigned to or removed from user accounts, e.g. the "Create a pagefile" right.
Event IDs |
User Rights Changes
Windows 2003 and earlier 608, 609
Windows Vista, Windows 2008 and later 4704, 4705 |
Logon Rights Changes
Tracks when logon rights are granted or removed from user accounts, e.g. the "Logon as a service" right.
Event IDs |
Logon Rights Changes
Windows 2003 and earlier 621, 622
Windows Vista, Windows 2008 and later 4717, 4718 |
Trust Relationship Changes
Tracks all changes to trust relationships, including the creation, modification and removal of trust relationships.
Event IDs |
Trust Relationship Changes
Windows 2003 and earlier 610, 611, 620
Windows Vista, Windows 2008 and later 4706, 4707, 4716 |
Retrieve Source IP Address and Computer Name
When the logon id contained in the monitored event can be linked (correlated) to an earlier logon session, then EventSentry will include the IP address and/or host name. In the case that only the host name or IP address are available, a DNS (reverse) lookup will be performed to gather the missing information.
Due to the nature of DNS lookups, this information should be used with caution and might not be 100% accurate.
