Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Monitor Pack (MS6) - Windows - Monitor Security Group Account Management

Created: 26 May 2009
Antonp's picture
+1 1 Vote
Login to vote

The "Account Management" Audit policy is very detailed in Windows 2000 and in later service packs of Windows NT 4.0. By enabling success and failure auditing for this event category, you enable the following events:

  • 631 Security Enabled Global Group Created
  • 632 Security Enabled Global Group Member Added
  • 633 Security Enabled Global Group Member Removed
  • 634 Security Enabled Global Group Deleted
  • 635 Security Enabled Local Group Created
  • 636 Security Enabled Local Group Member Added
  • 637 Security Enabled Local Group Member Removed
  • 638 Security Enabled Local Group Deleted
  • 639 Security Enabled Local Group Changed
  • 640 General Account Database Change
  • 641 Security Enabled Global Group Changed
  • 648 Security Disabled Local Group Created
  • 649 Security Disabled Local Group Changed
  • 650 Security Disabled Local Group Member Added
  • 651 Security Disabled Local Group Member Removed
  • 652 Security Disabled Local Group Deleted
  • 653 Security Disabled Global Group Created
  • 654 Security Disabled Global Group Changed
  • 655 Security Disabled Global Group Member Added
  • 656 Security Disabled Global Group Member Removed
  • 657 Security Disabled Global Group Deleted
  • 658 Security Enabled Universal Group Created
  • 659 Security Enabled Universal Group Changed
  • 660 Security Enabled Universal Group Member Added
  • 661 Security Enabled Universal Group Member Removed
  • 662 Security Enabled Universal Group Deleted
  • 663 Security Disabled Universal Group Created
  • 664 Security Disabled Universal Group Changed
  • 665 Security Disabled Universal Group Member Added
  • 666 Security Disabled Universal Group Member Removed
  • 667 Security Disabled Universal Group Deleted
  • 668 Group Type Changed
  • 669 Add SID History (Success)
  • 670 Add SID History (Failure)