Who deleted Kate’s account!? Who added this Bob to the Finance group!? Why is Jim’s account locked out!? These are just a few questions you may be asked in your day-to-day operations as a Systems Admin. I’ve put together a list of common security related Event ID’s found on Windows Server 2008 Domain Controllers that might just help you track down who deleted Kate’s account, or who added Bob to the Finance department, or that Jim simply cannot remember his own password! :)
Event Action
4720 Account Created
4725 Account Disabled
4726 Account Deleted
4727 Global Security Group Created
4728 Global Security Group Member Added
4729 Global Security Group Member Removed
4730 Global Security Group Deleted
4737 Security Group Attributes Changed
4738 Account Attributes Changed
4740 Account Locked Out
4756 Universal Security Group Member Added
4757 Universal Security Group Member Removed
4759 Distribution Group Created
4760 Distribution Group Changed
4761 Distribution Group Member Added
4762 Distribution Group Member Removed
4763 Distribution Group Deleted
4720 Account Created
4725 Account Disabled
4726 Account Deleted
4727 Global Security Group Created
4728 Global Security Group Member Added
4729 Global Security Group Member Removed
4730 Global Security Group Deleted
4737 Security Group Attributes Changed
4738 Account Attributes Changed
4740 Account Locked Out
4756 Universal Security Group Member Added
4757 Universal Security Group Member Removed
4759 Distribution Group Created
4760 Distribution Group Changed
4761 Distribution Group Member Added
4762 Distribution Group Member Removed
4763 Distribution Group Deleted