Submit a ticketCall us

WebinarUpcoming Webinar: Easily Automate Backups and Simplify Log Message Management

Backing up your network configuration and logging data are a few steps to helping keep your network safe. In this in-depth webinar, we’ll show you how these tasks can be automated to save your IT team time while maintaining accurate archives of your data.

Register now.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Monitor Active Directory events with LEM

Monitor Active Directory events with LEM

Table of contents
Created by Jason Dee, last modified by Jason Dee on Dec 27, 2017

Views: 4,623 Votes: 1 Revisions: 9

Overview

This article provides information when you want to use LEM to monitor Active Directory events, such as user account creates/deletes, security group creates/deletes, user logons or logon failures, etc.

Environment

  • All versions of LEM
  • Domain controllers monitored by LEM

Steps

  1. Verify that your auditing policy is configured to create these events. Refer to the table below and see Audit policies and best practices. Refer to the table below to identify which Event Type you should search for using nDepth.
  2. Search nDepth to verify those events are being logged as expected. Once they are found in nDepth, you can use those event details to create a rule to monitor them, if desired.

 

Description Event Type Windows Event ID / ProviderSID field in LEM Audit Policy Category / Subcategory Corresponding Rule
Group member added to security group NewGroupMember 4728 Account Management / Security Group Management

User Added to Group

New Critical Group Member

Group member removed from security group DeleteGroupMember 4729 Account Management / Security Group Management User Removed from Group
User account created NewDomainMember 4720 Account Management / User Account Management User Account Created
User account deleted DeleteDomainMember 4726 Account Management / User Account Management User Account Deleted
User account enabled  UserEnable 4722 Account Management / User Account Management User Account Enabled
User account disabled  UserDisable 4725 Account Management / User Account Management User Account Disabled
Account lockout UserDisable 4740 Logon/Logoff / Account Lockout User Account Lockout
GPO/AD Object Change ObjectAudit 5136 Directory Service / Directory Service Changes N/A

 

 

 

Last modified

Tags

Classifications

Public