Auditing user accounts in Server 2008 R2
Tuesday, October 06, 2009 11:10 AM
Windows Server 2008 R2 Group Policy permits administrators to audit status changes to user accounts. Here's a look at this feature.
Windows Group Policy is a powerful collection of configuration elements, and it can roll nicely into security configurations required for organizations of various types.
One Group Policy configuration that may be useful is the User Account Management Audit Policy. This policy allows user account audits for events, including object being changed, created, deleted, renamed, enabled, and disabled, password changes, permissions assignment changes, and other actions.
You can get to this setting by going to Computer Configuration | Windows Settings | Advanced Audit Policy Configuration | Account Management | User Account Management. The policy is shown in Figure A.
Figure A
Click the image to enlarge.
Once you enable this configuration, relevant events are passed into the Windows Security log for user account objects.
Let's go through a quick example with this audit configuration in place. On a test server, I did two events that will cause an audit event: I enabled the guest account, and then I changed the password for that account. Once those two tasks were done, these events were logged in the Security log on the local server.
Figure B shows the password event being logged.
Figure B
Click the image to enlarge.
This audit configuration can be managed centrally with Group Policy and configured for event forwarding. This auditing can be beneficial to monitor accounts for change records for selected accounts.
Rick Vanover is a systems administrator in Columbus, Ohio. He has more than 12 years of IT experience, and he focuses on virtualization, Windows-based server administration, and system hardware.
There are currently no comments for this post.