Auditing user accounts in Windows Server 2008 R2

Windows Server 2008 R2 Group Policy permits administrators to audit status changes to user accounts. IT guru Rick Vanover outlines this feature.

Windows Group Policy is a powerful collection of configuration elements, and it can roll nicely into security configurations required for organizations of various types. One Group Policy configuration that may be useful is the User Account Management Audit Policy. This policy allows user account audits for events, including object being changed, created, deleted, renamed, enabled, and disabled, password changes, permissions assignment changes, and other actions.

You can get to this setting by going to Computer Configuration | Windows Settings | Advanced Audit Policy Configuration | Account Management | User Account Management. The policy is shown in Figure A. Figure A

Figure A

Click the image to enlarge.

Once you enable this configuration, relevant events are passed into the Windows Security log for user account objects.

Let's go through a quick example with this audit configuration in place. On a test server, I did two events that will cause an audit event: I enabled the guest account, and then I changed the password for that account. Once those two tasks were done, these events were logged in the Security log on the local server. Figure B shows the password event being logged. Figure B

Figure B

Click the image to enlarge.

This audit configuration can be managed centrally with Group Policy and configured for event forwarding. This auditing can be beneficial to monitor accounts for change records for selected accounts.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!