How to Audit User Account Changes in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Audit User Account Changes in Active Directory

2. Step 1: “User Account Management” Audit Policy

1. Go to “Administrative Tools” and open the “Group Policy Management” console on the primary “Domain Controller”.
2. In “Group Policy Management”, create a new GPO or edit an existing GPO. It is recommended to create a new GPO, link it to the domain, and edit it.
3. To create a new GPO, right-click the domain name in the left panel, and click “Create a GPO in this domain, and Link it here”. It shows the “New GPO” window on the screen. Provide a name (User Account Management in our case) and click “OK”.
4. The new GPO appears in the left pane. Right-click it and click “Edit” in the context menu. “Group Policy Management Editor” appears on the screen.
5. In this window, you have to set the “Audit User Account Management” policy. To do that, navigate to “Computer Configuration” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.
6. Select “Account Management” policy to list all of its sub-policies. Double-click the “Audit User Account Management”’ policy to open its “Properties” window
7. Instead of configuring “Local Policy, it is recommended to configure the above policy in “Advanced Audit Policy Configuration”. This is because you have to enable all account management policies in “Local Policy” that will generate a huge amount of event logs. To minimize the noise, “Advanced Audit Policy Configuration” should be preferred. 

1. In policy properties, click to select the “Define these policy settings” checkbox. Then, select the “Success” and the “Failure” attempts check boxes. You can choose any one or both the options as per your need. In our case, we have selected both of the options as we want to audit both the successful and the failed attempts.

1. Click “Apply”, and “OK” to close the properties window.
2. It is recommended to update the Group Policy instantly so that new changes can be applied on the entire domain. Run the following command in the “Command Prompt”:Gpupdate /force
   In the following image, you can see the “Gpupdate” command run.

3. Step 2: Track user account changes through Event Viewer

To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events.

The following are some of the events related to user account management:

1. Event ID 4720 shows a user account was created.
2. Event ID 4722 shows a user account was enabled.
3. Event ID 4740 shows a user account was locked out.
4. Event ID 4725 shows a user account was disabled.
5. Event ID 4726 shows a user account was deleted.
6. Event ID 4738 shows a user account was changed.
7. Event ID 4781 shows the name of an account was changed.In our lab environment, we have enabled a disabled user account. The following image shows the event’s properties window’s screenshot (event Id 4722). The user’s name who enabled the account is shown under “Subject ➔ Account Name” field, and the account-enable time is displayed under “Logged” field.

1. To see the user’s name whose account was enabled, you will have to scroll down the event’s property window’s side bar. In the following image, you can see the user’s name under “Target Account ➔ Account Name” field.