Audit User Account Management

This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed:

  • A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
  • A user account password is set or changed.
  • Security identifier (SID) history is added to a user account.
  • The Directory Services Restore Mode password is set.
  • Permissions on accounts that are members of administrators groups are changed.
  • Credential Manager credentials are backed up or restored.


This policy setting is essential for tracking events that involve provisioning and managing user accounts.

Event volume: Low

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  • 4720: A user account was created.
  • 4722: A user account was enabled.
  • 4723: An attempt was made to change an account's password.
  • 4724: An attempt was made to reset an account's password.
  • 4725: A user account was disabled.
  • 4726: A user account was deleted.
  • 4738: A user account was changed.
  • 4740: A user account was locked out.
  • 4765: SID History was added to an account.
  • 4766: An attempt to add SID History to an account failed.
  • 4767: A user account was unlocked.
  • 4780: The ACL was set on accounts which are members of administrators groups.
  • 4781: The name of an account was changed:
  • 4794: An attempt was made to set the Directory Services Restore Mode.
  • 5376: Credential Manager credentials were backed up.
  • 5377: Credential Manager credentials were restored from a backup.

Scope: 

Computer

Default: 

Success

Related content