Audit User Account Management

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed:

  • A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.

  • A user account password is set or changed.

  • Security identifier (SID) history is added to a user account.

  • The Directory Services Restore Mode password is set.

  • Permissions on accounts that are members of administrators groups are changed.

  • Credential Manager credentials are backed up or restored.

This policy setting is essential for tracking events that involve provisioning and managing user accounts.

Event volume: Low

Default: Success

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message

4720

A user account was created.

4722

A user account was enabled.

4723

An attempt was made to change an account's password.

4724

An attempt was made to reset an account's password.

4725

A user account was disabled.

4726

A user account was deleted.

4738

A user account was changed.

4740

A user account was locked out.

4765

SID History was added to an account.

4766

An attempt to add SID History to an account failed.

4767

A user account was unlocked.

4780

The ACL was set on accounts which are members of administrators groups.

4781

The name of an account was changed:

4794

An attempt was made to set the Directory Services Restore Mode.

5376

Credential Manager credentials were backed up.

5377

Credential Manager credentials were restored from a backup.