 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the account management policies category of advanced security auditing for Windows Server. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Our aim is to provide you with a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. The security audit policy settings in this account management policies category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories. Audit application group management. Audit computer account management. Audit distribution group management. Audit other account management events. Audit security group management. Audit user account management. Some of these policies are more useful than others, so I won't cover them in alphabetical order. The audit security group management policy determines whether the operating system generates audit events when specific security group management tasks are performed. Microsoft recommends success auditing of security groups to see new group creation events, changes and deletion of critical groups. Also, you will get information about new members of security groups when a member was removed from a group and when security group membership was enumerated. Mucking about with security groups has an obvious security impact, so this policy is worth enabling. Event IDs generated in the security log when you enable this audit in category are Audit 731, a security enabled local group was created. Audit 732, a member was added to a security enabled local group. Audit 733, a member was removed from a security enabled local group. Audit 734, a security enabled local group was deleted. Audit 735, a security enabled local group was changed. Audit 764, a group's type was changed. Audit 799, a security enabled local group membership was enumerated. Audit 727, a security enabled global group was created. Audit 737, a security enabled global group was changed. 4728. A member was added to a security-enabled global group. 4729. A member was removed from a security-enabled global group. 4730. A security-enabled global group was deleted. 4754. A security-enabled universal group was created. 4755. A security-enabled universal group was changed. 4756. A member was added to a security-enabled universal group. 4757, a member was removed from a security-enabled universal group. 4758, a security-enabled universal group was deleted. The audit computer account management policy determines whether the operating system generates audit events when a computer account is created, changed, or deleted. Microsoft recommends monitoring changes to critical computer objects in active directory, such as domain controllers, administrative workstations, and critical service. It is especially important to be informed if any critical computer account objects are deleted. Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object and when the action was taken. Event IDs generated in the security log when you enable this auditing category are 4741, a computer account was created. 4742, a computer account was changed. 4743, a computer account was deleted. The audit user account management policy determines whether the operating system generates audit events when specific user account management tasks are performed. This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on. Microsoft recommends failure auditing, mostly to see invalid password change and reset attempts for domain accounts, directory services, restore motor count password change failures, and failed SID history at attempts. As you want records of any changes to important and non-important accounts, you should definitely enable this policy. Event IDs generated in the security log when you enable this auditing category are 4720, a user account was created. 4722, a user account was enabled. 4723, an attempt was made to change an account's password. 4724, an attempt was made to reset an account's password. 4725, a user account was disabled. 4726, a user account was deleted. 4738, a user account was changed. 4740, a user account was locked out. 4765, SID history was added to an account. 4766, an attempt to add SID history to an account failed. 4767, a user account was unlocked. 4780, the access control list ACL was set on accounts, which are members of administrators groups. 4781, the name of an account was changed. 4794, an attempt was made to set the directory services, restore motor administrator password. 4798, a user's local group membership was enumerated. 5376, credential manager credentials were backed up. 5377, credential manager credentials were restored from a backup. The audit distribution group management policy determines whether the operating system generates or did events for specific distribution group management tasks. Typically, actions related to distribution groups have low security relevance and it is much more important to monitor security group changes. However, if you want to monitor the critical distribution groups changes, such as if a member was added to internal critical distribution group, such as a DL for executives or a football tipping destroy list, you need to enable this subcategory for success auditing. Event IDs generated in the security log when you enable this auditing category are 4749, a security disabled global group was created. 4750, a security disabled global group was changed. 4751, a member was added to a security disabled global group. 4752, a member was removed from a security disabled global group. 4753, a security disabled global group was deleted. 4759, a security disabled universal group was created. 4760, a security disabled universal group was changed. 4761, a member was added to a security disabled universal group. 4762, a member was removed from a security disabled universal group. 4763, a security disabled universal group was deleted. 4744, a security Disabled Local Group was created. 4745, a Security Disabled Local Group was changed. 4746, a member was added to a Security Disabled Local Group. 4747, a member was removed from a Security Disabled Local Group. 4748, a Security Disabled Local Group was deleted. If audit other account management events, policy determines whether the operating system generates user account management audit events. Event IDs generated in the Security Log when you enable this auditing category are 4782, the password hash of an account was accessed. 4793, the password policy checking API was called. The audit application group management policy generates events for actions related to application groups such as group creation, modification, addition, removal of group member and some other actions. Application groups are used by authorization manager which was deprecated starting from Windows Server 2012. I've included this policy here because it's in the GPO and you might have been curious as to what it was meant to do even if it does absolutely nothing useful. This video provided an introduction to Windows Server Advanced Security Auditing Account Management policies. Other videos on this channel cover policies in each advanced audit policy category and notable events that enabling the policies generate. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day to day operations with an assumed breach philosophy. We are interested in hearing about your experiences as an ADDS administrator. Is there any ADDS security or Windows Server related topics you'd like us to cover in a future video? If so, mention it below. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren and if you've got any questions or feedback, drop a comment below.