Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Monitor Active Directory events with LEM

Monitor Active Directory events with LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 913 Votes: 1 Revisions: 6


This article provides information when you want to use LEM to monitor Active Directory events, such as user account creates/deletes, security group creates/deletes, user logons or logon failures, etc.


  • All versions of LEM
  • Domain controllers monitored by LEM


  1. Verify that your auditing policy is configured to create these events. Refer to the table below and see Audit policies and best practices. Refer to the table below to identify which Event Type you should search for using nDepth.
  2. Search nDepth to verify those events are being logged as expected. Once they are found in nDepth, you can use those event details to create a rule to monitor them, if desired.


Description Event Type Windows Event ID / ProviderSID field in LEM Audit Policy Category / Subcategory Corresponding Rule
User account created NewDomainMember 4720 Account Management / User Account Management User Account Created
User account deleted DeleteDomainMember 4726 Account Management / User Account Management User Account Deleted
User account enabled  UserEnable 4722 Account Management / User Account Management User Account Enabled
User account disabled  UserDisable 4725 Account Management / User Account Management User Account Disabled
Account lockout UserDisable 4740 Logon/Logoff / Account Lockout User Account Lockout
GPO/AD Object Change ObjectAudit 5136 Directory Service / Directory Service Changes N/A




Last modified
20:16, 22 Jun 2016