The bulk of the user management events are identical, with variation only in the activity (for example, enabled versus disabled) and the security groups (local, global, or universal) to which the audit applies.
In addition, from event 648 to event 685, some events include the phrase SECURITY_DISABLED in their formal names. This means that these groups cannot be used to grant permissions in access checks. If the SID representing a security-disabled group appears in a user s token, it is only used to verify deny access control entries (ACEs) during an access check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.
For more information about access tokens and the roles and use of local, global, or universal groups, see Authorization and Access Control in this book.
Parameters: Name of new user account, domain of new user account, SID string of new user account, user name of subject creating the user account, domain name of subject creating the user account, logon ID string of subject creating the user account, privileges used to create the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_CREATED
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_PWD_CHANGED
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_PWD_SET
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject deleting the user account, domain name of subject deleting the user account, logon ID string of subject deleting the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_DELETED
Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_CREATED
Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_ADD
Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_REM
Parameters: Name of the global group account, domain of the global group account, SID string of the global group account, user name of subject deleting the global group, domain name of subject deleting the global group, logon ID string of subject deleting the global group.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_DELETED
Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_CREATED
Parameters: SID string of member being added, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_ADD
Parameters: SID string of member being removed, name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_REM
Parameters: Name of group account being deleted, domain of the group account, SID string of group account, user name of subject deleting the account, domain name of subject deleting the account, logon ID string of subject deleting the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_DELETED
Parameters: Name of group account being changed, domain of group account, SID string of group account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_LOCAL_GROUP_CHANGE
Parameters: Name of group account being changed, domain of group account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_GLOBAL_GROUP_CHANGE
Parameters: Name of user account, domain of user account, SID string of user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_USER_CHANGE
Parameters: Domain policy that was modified, domain name, domain ID, caller user name, caller domain, caller logon ID, privileges used.
Configurable Information: Success
Formal name: SE_AUDITID_DOMAIN_POLICY_CHANGE
Parameters: Name of target user account, domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_ACCOUNT_AUTO_LOCKED
This happens when a user attempts to log on unsuccessfully multiple times (the number of attempts is configured by the administrator).
Parameters: Name of new computer account, domain of new computer account, SID string of new computer account, user name of subject creating the computer account, domain name of subject creating the computer account, logon ID string of subject creating the computer account, privileges used to create the computer account.
Configurable Information: Success
Formal name: SE_AUDITID_COMPUTER_CREATED
Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject changing the computer account, domain name of subject changing the computer account, logon ID string of subject changing the computer account, privileges used to change the computer account.
Configurable Information: Success
Formal name: SE_AUDITID_COMPUTER_CHANGE
Parameters: Name of target computer account, domain of target computer account, SID string of target computer account, user name of subject deleting the computer account, domain name of subject deleting the computer account, logon ID string of subject deleting the computer account, privileges used to delete the computer account.
Configurable Information: Success
Formal name: SE_AUDITID_COMPUTER_DELETED
Parameters: Name of new group account, domain of new group account, SID string of new group account, user name of subject creating the account, domain name of subject creating the account, logon ID string of subject creating the account, privileges used to create the account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CREATED
SECURITY_DISABLED in the formal name means that this group cannot be used to grant permissions in access checks. If the SID representing a security-disabled group appears in a user s token, it is only used to verify deny access control entries (ACEs) during an access check. A SECURITY_ENABLED group is used to verify all ACEs during an access check.
For more information about access tokens and the roles and usage of local, global, or universal groups, see Authorization and Access Control in this book.
Parameters: Name of group account, domain of group account, SID string of group account, user name of subject modifying the account, domain name of subject modifying the account, logon ID string of subject modifying the account, privileges used to modify the account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_CHANGE
Parameters: SID string of member being added, name of security-disabled local security group account, domain of security group account, SID string of security-disabled local security group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the security-disabled local security group, logon ID string of subject changing the membership of the security-disabled local security group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_ADD
Parameters: SID string of member being removed, name of security-disabled local security group account, domain of security-disabled security group account, SID string of local security group account, user name of subject changing the membership of the security-disabled local security group, domain name of subject changing the membership of the security-disabled local security group, logon ID string of subject changing the membership of the security-disabled local security group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_REM
Parameters: Name of the security-disabled local group, domain of security-disabled local group, SID string of security-disabled local group, user name of subject deleting the security-disabled local group, domain name of subject deleting the security-disabled local group, logon ID string of subject deleting the security-disabled local group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_LOCAL_GROUP_DELETED
Parameters: Name of new security-disabled global group, domain of new security-disabled global group, SID string of new security-disabled global group, user name of subject creating the security-disabled global group, domain name of subject creating the security-disabled global group, logon ID string of subject creating the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_CREATED
Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ CHANGE
Parameters: SID string of member being added, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ADD
Parameters: SID string of member being removed, name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject changing the security-disabled global group, domain name of subject changing the security-disabled global group, logon ID string of subject changing the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_REM
Parameters: Name of security-disabled global group, domain of security-disabled global group, SID string of security-disabled global group, user name of subject deleting the security-disabled global group, domain name of subject deleting the security-disabled global group, logon ID string of subject deleting the security-disabled global group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_GLOBAL_GROUP_ DELETED
Parameters: Name of new group account, domain of new security-enabled universal group, SID string of new security-enabled universal group, user name of subject creating the security-enabled universal group, domain name of subject creating the security-enabled universal group, logon ID string of subject creating the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CREATED
Parameters: Name of target security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ CHANGE
Parameters: SID string of member being added, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ADD
Parameters: SID string of member being removed, name of security-enabled universal group, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject changing the security-enabled universal group, domain name of subject changing the security-enabled universal group, logon ID string of subject changing the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_REM
Parameters: Name of target account, domain of security-enabled universal group, SID string of security-enabled universal group, user name of subject deleting the security-enabled universal group, domain name of subject deleting the security-enabled universal group, logon ID string of subject deleting the security-enabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_ENABLED_UNIVERSAL_GROUP_ DELETED
Parameters: Name of new security-disabled universal group, domain of new security-disabled universal group, SID string of new security-disabled universal group, user name of subject creating the security-disabled universal group, domain name of subject creating the security-disabled universal group, logon ID string of subject creating the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CREATED
Parameters: Name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ CHANGE
Parameters: SID string of member being added, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ADD
Parameters: SID string of member being removed, name of security-disabled universal group, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject changing the security-disabled universal group, domain name of subject changing the security-disabled universal group, logon ID string of subject changing the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_REM
Parameters: Name of target account, domain of security-disabled universal group, SID string of security-disabled universal group, user name of subject deleting the security-disabled universal group, domain name of subject deleting the security-disabled universal group, logon ID string of subject deleting the security-disabled universal group.
Configurable Information: Success
Formal name: SE_AUDITID_SECURITY_DISABLED_UNIVERSAL_GROUP_ DELETED
Parameters: Nature of group type change, name of group being changed, domain of group being changed, SID string of group being changed, user name of subject changing the group type, domain name of subject changing the group type, logon ID string of subject changing the group type.
Configurable Information: Success
Formal name: SE_AUDITID_GROUP_TYPE_CHANGE
Parameters: Domain of target user account, SID string of target user account, user name of subject changing the user account, domain name of subject changing the user account, logon ID string of subject changing the user account.
Configurable Information: Success
Formal name: SE_AUDITID_SECURE_ADMIN_GROUP
Every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise, and schema administrators) and applies a fixed security descriptor on them. This event is logged.
Parameters: Name of target account, domain of target account, SID string of target account, user name of subject changing the account, domain name of subject changing the account, logon ID string of subject changing the account.
Configurable Information: Success
Formal name: SE_AUDITID_ACCOUNT_NAME_CHANGE