Submit a ticketCall us

Don’t fall victim to a ransomware attack
Backups are helpful, but sometimes that’s not enough to protect your business against ransomware. At our live webcast we will discuss how to protect against ransomware attacks with SolarWinds® Patch Manager and how to leverage log data to detect ransomware. Register now for our live webcast.

Home > Success Center > Log & Event Manager (LEM) > Monitor Active Directory events with LEM

Monitor Active Directory events with LEM

Table of contents
Created by Jason Dee, last modified by MindTouch on Jun 23, 2016

Views: 431 Votes: 1 Revisions: 6

Overview

This article provides information when you want to use LEM to monitor Active Directory events, such as user account creates/deletes, security group creates/deletes, user logons or logon failures, etc.

Environment

  • All versions of LEM
  • Domain controllers monitored by LEM

Steps

  1. Verify that your auditing policy is configured to create these events. Refer to the table below and see Audit policies and best practices. Refer to the table below to identify which Event Type you should search for using nDepth.
  2. Search nDepth to verify those events are being logged as expected. Once they are found in nDepth, you can use those event details to create a rule to monitor them, if desired.

 

Description Event Type Windows Event ID / ProviderSID field in LEM Audit Policy Category / Subcategory Corresponding Rule
User account created NewDomainMember 4720 Account Management / User Account Management User Account Created
User account deleted DeleteDomainMember 4726 Account Management / User Account Management User Account Deleted
User account enabled  UserEnable 4722 Account Management / User Account Management User Account Enabled
User account disabled  UserDisable 4725 Account Management / User Account Management User Account Disabled
Account lockout UserDisable 4740 Logon/Logoff / Account Lockout User Account Lockout
GPO/AD Object Change ObjectAudit 5136 Directory Service / Directory Service Changes N/A

 

 

 

Last modified
20:16, 22 Jun 2016

Tags

Classifications

Public