Do you use GFI event log watcher for all your workstations? Or just

servers?

-----Original Message-----

From: Greg Merideth [mailto:gmerideth (at) uclnj (dot) com [email concealed]]

Sent: Wednesday, August 23, 2006 12:47 PM

To: Lee Clemens; focus-ms (at) securityfocus (dot) com [email concealed]

Subject: RE: User creation audit trail

I believe event ID 645 is the creation of a user account in the domain.

I use the GFI event log watcher and track that event on the network.

-----Original Message-----

From: Lee Clemens [mailto:lee (at) leeclemens (dot) net [email concealed]]

Sent: Tuesday, August 22, 2006 9:26 PM

To: focus-ms (at) securityfocus (dot) com [email concealed]

Subject: User creation audit trail

Hello all,

I am trying to find a way to verify and when and by whom a user was

created on a Domain computer. The account was created on the local

machine, so I'm wondering if it is captured in the event log somewhere.

And perhaps what the event ID is for that, or anywhere else I could find

out??

Thanks in advance,

Lee Clemens

------------------------------------------------------------------------

---

------------------------------------------------------------------------

---

------------------------------------------------------------------------

---

------------------------------------------------------------------------

---

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

NOTICE: This email is business confidential. If received in error, please destroy this email and notify sender immediately. Sender does not waive confidentiality, or privilege and use is prohibited.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

[ reply ]