User Management Events
The bulk of the user management events are identical, with variation only in the activity (for example, enabled versus disabled) and the security groups (local, global, or universal) to which the audit applies.
In addition, from event 648 to event 685, some events include the phrase SECURITY_DISABLED in their formal names. This means that these groups cannot be used to grant permissions in access checks. If the SID representing a security-disabled group appears in a user s token, it is only used to verify deny access control entries (ACEs) during an access check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.
For more information about access tokens and the roles and use of local, global, or universal groups, see Authorization and Access Control in this book.
624 A user account was created.
Parameters: Name of new user account, domain of new user account, SID string of new user account, user name of subject creating the user account, domain name of subject creating the user account, logon ID string of subject creating the user account, privileges used to create the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_CREATED
627 A user password was changed.
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_PWD_CHANGED
628 A user password was set.
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_PWD_SET
630 A user account was deleted.
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject deleting the user account, domain name of subject deleting the user account, logon ID string of subject deleting the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_DELETED
631 A global group was created.
Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_CREATED
632 A member was added to a global group.
Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_ADD
633 A member was removed from a global group.
Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_REM
634 A global group was deleted.
Parameters: Name of the global group account, domain of the global group account, SID string of the global group account, user name of subject deleting the global group, domain name of subject deleting the global group, logon ID string of subject deleting the global group.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_DELETED
635 A new local group was created.
Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_CREATED
636 A member was added to a local group.
Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_ADD
637 A member was removed from a local group.
Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_REM
638 A local group was deleted.
Parameters: Name of group account being deleted, domain of the group account, SID string of group account, user name of subject deleting the account, domain name of subject deleting the account, logon ID string of subject deleting the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_DELETED
639 A local group account was changed.
Parameters: Name of group account being changed, domain of group account, SID string of group account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_CHANGE
641 A global group account was changed.
Parameters: Name of group account being changed, domain of group account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_CHANGE
642 A user account was changed.
Parameters: Name of user account, domain of user account, SID string of user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_CHANGE
643 A domain policy was modified.
Parameters: Domain policy that was modified, domain name, domain ID, caller user name, caller domain, caller logon ID, privileges used.
Configurable Information: Success
Formal name: SE_AUDITID_DOMAIN_POLICY_CHANGE
644 A user account was auto locked.
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_ACCOUNT_AUTO_LOCKED
This happens when a user attempts to log on unsuccessfully multiple times (the number of attempts is configured by the administrator).
645 A computer account was created.
Parameters: Name of new computer account, domain of new computer account, SID string of new computer account, user name of subject creating the computer account, domain name of subject creating the computer account, logon ID string of subject creating the computer account, privileges used to create the computer account.
Configurable Information: Success
Formal name: SE_AUDITID_COMPUTER_CREATED
646 A computer account was changed.
Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject changing the computer account, domain name of subject changing the computer account, logon ID string of subject changing the computer account, privileges used to change the computer account.
Configurable Information: Success
Formal name: SE_AUDITID_COMPUTER_CHANGE
647 A computer account was deleted.
Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject deleting the computer account, domain name of subject deleting the computer account, logon ID string of subject deleting the computer account, privileges used to delete the computer account.
Configurable Information: Success
Formal name: SE_AUDITID_COMPUTER_DELETED
648 A local security group with security disabled was created.
Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account, privileges used to create the account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. If the SID representing a security-disabled group appears in a user s token, it is only used to verify deny access control entries (ACEs) during an access check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.
For more information about access tokens and the roles and usage of local, global, or universal groups, see Authorization and Access Control in this book.
649 A local security group with security disabled was changed.
Parameters: Name of group account, domain of group account, SID string of group account, user name of subject modifying the account, domain name of subject modifying the account, logon ID string of subject modifying the account, privileges used to modify the account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
650 A member was added to a security-disabled local security group.
Parameters: SID string of member being added, name of security-disabled local security group account, domain of security group account, SID string of security-disabled local security group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the security-disabled local security group, logon ID string of subject changing the membership of the security-disabled local security group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
651 A member was removed from a security-disabled local security group.
Parameters: SID string of member being removed, name of security-disabled local security group account, domain of security-disabled security group account, SID string of local security group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the security-disabled local security group, logon ID string of subject changing the membership of the security-disabled local security group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
652 A security-disabled local group was deleted.
Parameters: Name of the security-disabled local group, domain of security-disabled local group, SID string of security-disabled local group, user name of subject deleting the security-disabled local group, domain name of subject deleting the security-disabled local group, logon ID string of subject deleting the security-disabled local group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
653 A security-disabled global group was created.
Parameters: Name of new security-disabled global group, domain of new security-disabled global group, SID string of new security-disabled global group, user name of subject creating the security-disabled global group, domain name of subject creating the security-disabled global group, logon ID string of subject creating the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
654 A security-disabled global group was changed.
Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ CHANGE
655 A member was added to a security-disabled global group.
Parameters: SID string of member being added, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
656 A member was removed from a security-disabled global group.
Parameters: SID string of member being removed, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
657 A security-disabled global group was deleted.
Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject deleting the security-disabled global group, domain name of subject deleting the security-disabled global group, logon ID string of subject deleting the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ DELETED
658 A security-enabled universal group was created.
Parameters: Name of new group account, domain of new security-enabled universal group, SID string of new security-enabled universal group, user name of subject creating the security-enabled universal group, domain name of subject creating the security-enabled universal group, logon ID string of subject creating the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CREATED
659 A security-enabled universal group was changed.
Parameters: Name of target security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CHANGE
660 A member was added to a security-enabled universal group.
Parameters: SID string of member being added, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
661 A member was removed from a security-enabled universal group.
Parameters: SID string of member being removed, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
662 A security-enabled universal group was deleted.
Parameters: Name of target account, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject deleting the security-enabled universal group, domain name of subject deleting the security-enabled universal group, logon ID string of subject deleting the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ DELETED
663 A security-disabled universal group was created.
Parameters: Name of new security-disabled universal group, domain of new security-disabled universal group, SID string of new security-disabled universal group, user name of subject creating the security-disabled universal group, domain name of subject creating the security-disabled universal group, logon ID string of subject creating the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CREATED
664 A security-disabled universal group was changed.
Parameters: Name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CHANGE
665 A member was added to a security-disabled universal group.
Parameters: SID string of member being added, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
666 A member was removed from a security-disabled universal group.
Parameters: SID string of member being removed, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
667 A security-disabled universal group was deleted.
Parameters: Name of target account, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject deleting the security-disabled universal group, domain name of subject deleting the security-disabled universal group, logon ID string of subject deleting the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ DELETED
668 A group type was changed.
Parameters: Nature of group type change, name of group being changed, domain of group being changed, SID string of group being changed, user name of subject changing the group type, domain name of subject changing the group type, logon ID string of subject changing the group type.
Configurable Information: Success
Formal name: SE_AUDITID_GROUP_TYPE_CHANGE
684 Set the security descriptor of members of administrative groups.
Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURE_ADMIN_GROUP
Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
685 Name of an account was changed.
Parameters: Name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_ACCOUNT_NAME_CHANGE
EAN: N/A
Pages: 338