Submit a ticketCall us

Solarwinds & Cisco Live! Barcelona
Join us from the 29th of January to the 2nd of February at Cisco Live 2018 in Barcelona, where we will continue to show how monitoring the network with SolarWinds will keep you ahead of the game. At our booth (WEP 1A), we will demonstrate how SolarWinds network solutions can help. As a bonus, we are also hosting a pre-event webinar - Blame the Network, Hybrid IT Edition with our SolarWinds Head Geek™, Patrick Hubbard on January 24th - GMT (UTC+0): 10:00 a.m. to 11:00 a.m. There's still time to RSVP.

Home > Success Center > Log & Event Manager (LEM) > Monitor Active Directory events with LEM

Monitor Active Directory events with LEM

Table of contents
Created by Jason Dee, last modified by Jason Dee on Dec 27, 2017

Views: 3,324 Votes: 1 Revisions: 9

Overview

This article provides information when you want to use LEM to monitor Active Directory events, such as user account creates/deletes, security group creates/deletes, user logons or logon failures, etc.

Environment

  • All versions of LEM
  • Domain controllers monitored by LEM

Steps

  1. Verify that your auditing policy is configured to create these events. Refer to the table below and see Audit policies and best practices. Refer to the table below to identify which Event Type you should search for using nDepth.
  2. Search nDepth to verify those events are being logged as expected. Once they are found in nDepth, you can use those event details to create a rule to monitor them, if desired.

 

Description Event Type Windows Event ID / ProviderSID field in LEM Audit Policy Category / Subcategory Corresponding Rule
Group member added to security group NewGroupMember 4728 Account Management / Security Group Management

User Added to Group

New Critical Group Member

Group member removed from security group DeleteGroupMember 4729 Account Management / Security Group Management User Removed from Group
User account created NewDomainMember 4720 Account Management / User Account Management User Account Created
User account deleted DeleteDomainMember 4726 Account Management / User Account Management User Account Deleted
User account enabled  UserEnable 4722 Account Management / User Account Management User Account Enabled
User account disabled  UserDisable 4725 Account Management / User Account Management User Account Disabled
Account lockout UserDisable 4740 Logon/Logoff / Account Lockout User Account Lockout
GPO/AD Object Change ObjectAudit 5136 Directory Service / Directory Service Changes N/A

 

 

 

Last modified

Tags

Classifications

Public