Audit account (Windows 2000 AD)

[Peter Rodger <prodger2008 () yahoo com>]

Hi all,

We need to audit disabled account, expired account and
password changes.  I enabled auditing domain policy to
audit account management success and failure events
(also logon).  But, nothing is logged on the event log
as posted on the MS site.

FMT_MTD.1(c)

CAPP – 5.4.5
 All modifications to the values of TSF data (user
security attributes - including the new value of the
TSF data)
 Category: Policy change

608 – User right assigned.

609 – User right removed.

Category: Account management

624 – User account created.

625 – User account type changed.

626 – User account enabled.

629 – User account disabled.

630 – User account deleted.

I just doisabled two accounts and enabled them.  No
event 629 & 626 logged in the security log.

Is something I missed?

Thanks for your help as it's urgent.

Peter
 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------