All events registered in the system viewer have a standard ID associated with them, according to their type (Security, Audit, applications, etc.). So, whenever we see an "EventI D 41", it will mean that the famous blue screen has appeared. This impacts that some IDs will only be available if you have configured a specific functionality. For example, the event:
“Event 4662: An operation was performed on an object”.
Refers to existing objects within the Active Directory, it will only appear if we have this functionality active.
Microsoft Windows Server Monitoring
Now that we know the concepts, it's time to make a monitoring plan for our server. But what events would we select? Again, the answer depends of the use and what functionality you need.
In our case, if we wanted to control the authentication, creation, deletion and modification of users, we would be monitoring the "Security Auditing" functionality. So, the events related to "Account Management" would be interesting. For example:
- 4720 – A user account was created
- 4722 – A use account was enabled
- 4723 – An user attempted to change an account’s password
- 4724 – An attempt was made to reset an account’s password
- 4725 – A user account was disabled
- 4726 – A user account was deleted
- 4727 – A security-enabled global group was created
- 4728 – A member was added to a security-enabled global group
- 4729 – A member was removed from a security-enabled global group
- 4730 – A security-enabled global group was deleted
- 4731 – A security-enabled local group was created
- 4732 – A member was added to a security-enabled local group
- 4733 – A member was removed from a security-enabled local group
- 4734 – A security-enabled local group was deleted
- 4735 – A security-enabled local group was changed
- 4737 – A security-enabled global group was changed
- 4738 – A user account was changed
- 4741 – A computer account was created
- 4742 – A computer account was changed
- 4743 – A computer account was deleted
- 4754 – A security-enabled universal group was created
- 4755 – A security-enabled universal group was changed
- 4756 – A member was added to a security-enabled universal group
- 4757 – A member was removed from a security-enabled universal group
- 4758 – A security-enabled universal group was deleted
For the example that we elaborated for this article, we selected some of the previous ones as well as others corresponding to other subcategories like "Active Directory":
- 4726 – A user account was deleted
- 4720 – A user account was created
- 4756 – A member was added to a security-enabled universal group
- 4662 - An operation was performed on an object
- 4624 - An account was successfully logged on
- 4672 - Special privileges assigned to new logon
With this we would have the base to control access in our server.
If you look at the Account Management events, you would be controlling the creation and deletion of new accounts, as well as knowing when an account is assigned to a security group. Events related to the Active directory allow us, for example, to see who has registered on the server with administrator permissions.
The content of an event would be as shown below: