Tracking user account changes in Active Directory is primarily important from compliance and security-related considerations and also for operational efficiency purposes. Inactive user accounts or a large number of new accounts with extended permissions, disabled or suspiciously modified user accounts – all these issues may impact productivity and network security, not to mention that this affects compliance.
First of all, auditing user account changes in Active Direcory can help validate conformance with organization’s security baselines and find potential vulnerabilities to prevent security issues.
Monitoring user accounts for violations of compliance policies allows to see whether irregularities occur and to remediate them to be prepared for compliance audit.
Audit accidental or malicious changes to User Accounts, including created, deleted, enabled or disabled accounts to prevent disruptions in continuous availability of IT services and establish business continuity.
So let’s compare two ways in which user account changes can be detected.
1. Enable audit policies on the Default Domain Controller Security Policy GPO. Enable the “Audit user account management” audit policy.
2. Look for event ID 4720 (user account creation), 4722 (user account enabled), 4725 (user account disabled), 4726 (user account deleted) and 4738 (user account changed).
3. Keep in mind that when you initially create a user account, AD creates the account as disabled, makes several initial updates to it and then immediately enables it. Therefore you will always see a somewhat bogus occurrence of 4722 associated with each new account created.
Netwrix Auditor for Active Directory
Simply get the information about all changes from your Scheduled User Accounts Changes Report.
Don’t miss out on real-life use cases of detecting user account changes in Active Directory!