Tracking user account changes in Active Directory will help you keep your IT environment secure and compliant. There can be numerous different changes to watch out for when we’re thinking about user accounts; such as new users with a lot of permissions created, user accounts deleted, user accounts enabled or disabled and more. Any of these changes, if made by a user with malicious intentions, can result in data leakage. You can prevent such insider threats by continuously monitoring unwanted or unauthorized user account changes. In this article, you will learn how to audit user account changes in Active Directory both natively and using LepideAuditor for Active Directory.

Step 1: “User Account Management” Audit Policy

Perform the following steps to enable “User Account Management” audit policy:

1. Go to “Administrative Tools” and open “Group Policy Management” console on the primary “Domain Controller”.

2. In “Group Policy Management”, create a new GPO or edit an existing GPO. It is recommended to create a new GPO, link it to the domain and edit.

3. To create a new GPO, right-click the domain name in the left panel, and click “Create a GPO in this domain, and Link it here”. It shows the “New GPO” window on the screen. Provide a name (User Account Management in our case) and click “OK”.

4. The new GPO appears in the left pane. Right-click it and click “Edit” in the context menu. “Group Policy Management Editor” appears on the screen.

5. In this window, you have to set “Audit User Account Management” policy. To do that, navigate to “Computer Configuration” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Advanced Audit Policy Configuration” ➔ “Audit Policies”.

6. Select “Account Management” policy to list all of its sub-policies. Double-click “Audit User Account Management”’ policy to open its “Properties” window

Note: Instead of configuring “Local Policy, it is recommended to configure above policy in “Advanced Audit Policy Configuration”. This is because you have to enable all account management policies in “Local Policy” that will generate huge amount of event logs. To minimize the noise, “Advanced Audit Policy Configuration” should be preferred.

Figure 1: The “Audit User Account Management” policy

7. In policy properties, click to select “Define these policy settings” checkbox. Then, select the “Success” and the “Failure” attempts check boxes. You can choose any one or both the options as per your need. In our case, we have selected both of the options as we want to audit both the successful and the failed attempts.

Figure 2: Properties of “Audit User Account Management” policy

8. Click “Apply”, and “OK” to close the properties window. 9. It is recommended to update the Group Policy instantly so that new changes can be applied on the entire domain. Run the following command in the “Command Prompt”:
Gpupdate /force
In the following image, you can see the “Gpupdate” command run.

Figure 3: Updating the Group Policy
Step 2: Track user account changes through Event Viewer

To track user account changes in Active Directory, open “Windows Event Viewer”, and go to “Windows Logs” ➔ “Security”. Use the “Filter Current Log” option in the right pane to find the relevant events.

The following are some of the events related to user account management:

1. Event ID 4720 shows a user account was created.

2. Event ID 4722 shows a user account was enabled.

3. Event ID 4740 shows a user account was locked out.

4. Event ID 4725 shows a user account was disabled.

5. Event ID 4726 shows a user account was deleted.

6. Event ID 4738 shows a user account was changed.

7. Event ID 4781 shows the name of an account was changed.

In our lab environment, we have enabled a disabled user account. The following image shows the event’s properties window’s screenshot (event Id 4722). The user’s name who enabled the account is shown under “Subject ➔ Account Name” field, and the account-enable time is displayed under “Logged” field.

Figure 4: A user account was enabled

To see the user’s name whose account was enabled, you will have to scroll down the event’s property window’s side bar. In the following image, you can see the user’s name under “Target Account ➔ Account Name” field.

Figure 5: The user’s name whose account was enabled

Using LepideAuditor for Active Directory to track user account changes

Often cited as being both quicker and easier than native auditing methods, Lepide Active Directory Audit solution enables you to track user account changes in your Active Directory in a much better way. The following image shows the “User Status Modifications” report. The complete audit information about a user’s status change is shown in a single line record:

Figure 9: “Read Successful” report

In the above image, you can see the same user’s status change record in LepideAuditor. The record has been highlighted and the complete audit information, like who enabled the user and when, is available in a single line record.

Conclusion

In this article, we’ve shown you how to detect user account changes in Active Directory through native auditing. You’ve also had the pleasure of seeing a glimpse of what our award-winning LepideAuditor can do to simplify Active Directory auditing.



Download LepideAuditor for Active Directory

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.