Auditing and Account Management
Auditing and account management are essential components of Windows security, helping administrators monitor and control access to resources. This documentation provides an overview of audit policies, account management events, and guidance on configuring secure auditing practices.
Key Concepts
- Audit Policy – Determines which events are logged in the Security log.
- Account Management Events – Track changes to user and group accounts, including creation, deletion, and modification.
- Log Retention & Analysis – Best practices for retaining logs and using tools such as Event Viewer, PowerShell, and Azure Sentinel.
Configuring Audit Policies
Use the Local Group Policy Editor or AuditPol.exe to configure audit subcategories.
Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration and enable the desired subcategories.
auditpol /set /category:"Account Logon" /success:enable /failure:enable auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
Monitoring Account Management Events
Key Event IDs:
- 4720 – A user account was created.
- 4722 – A user account was enabled.
- 4723 – An attempt was made to change an account's password.
- 4732 – A security-enabled local group was added to a member.
Example PowerShell query to retrieve recent account creation events:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} -MaxEvents 20 |
Select-Object TimeCreated, Message |
Format-Table -AutoSize
Best Practices
- Enable both success and failure auditing for critical subcategories.
- Forward Security logs to a centralized SIEM.
- Regularly review audit logs for anomalous activity.
- Implement log retention policies that meet compliance requirements.