Windows system administrators can often be tasked with providing security audit logs to show what local user accounts were created, when were they created and who created them. In addition, auditors can also request logs to show when the memberships for local privilege groups such as Administrators, Power Users, Backup Operators and Remote Desktop Users was modified and by who.
To simplify these tasks, the Windows Server Administrators need to enable auditing in the local security policy and then use their monitoring tools to track certain event IDs from the server Windows Security logs.
Step 1: Enable auditing
For Windows Server 2008, 2012 and 2016, enable "Audit Security Group Management" and "Audit User Account Management" for Success and Failure.
Event source: Microsoft Windows security auditing
4733 (A member was removed from a security-enabled local group)
To simplify these tasks, the Windows Server Administrators need to enable auditing in the local security policy and then use their monitoring tools to track certain event IDs from the server Windows Security logs.
Step 1: Enable auditing
These settings are located under Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies -> Account Management.
Once these settings are enabled, monitor the following events under Security Event Logs.
Task Category: Security Group Management
Event ID:
4728 (A
member was added to a security-enabled global group),
4729 (A
member was removed from a security-enabled global group)
4732 (A member was added to a security-enabled local group),
Task Category: User Account Management
Event ID:
4720 (A user account was created),
4722 (A user account was enabled),
4724 (An attempt was made to reset an account's password),
4726 (A
user account was deleted),
4738 (A
user account was changed)
