Link to home
Start Free TrialLog in
Avatar of UDSquare
UDSquareFlag for India

asked on

audit any new user account in AD

I'd like to audit any new user creations. If this alert could be saved in the event viewer as a saved filter that'd be great. I need to monitor this very closely.

Please advice.
ASKER CERTIFIED SOLUTION
Avatar of Evan Cutler
Evan Cutler
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of intellingence
intellingence

We have set-up email alerts for some other events but including adding/creating new users (event 4720), I can help you with setting this up if you like, however if you just filter your security event viewer (on domain controller) to see event ID 4720. This will show you black on white when new user is created and by whom.

Hope this helps
hi see below for windows 2003

User Account Created - security 624
User Account Enabled - security 626
User Account Locked Out - security 644 or security 4740
you can download free SIEM tools which will let you add say 3-4 servers.

Add your Dc in, then create a 'new user' thread so each time a new user is created for example its written to the thread.  You can then also specify if it happens alert me via email........
Avatar of UDSquare

ASKER

Thanks. We will check and update you the status.