Como descubro quem criou um usuário?
Procure a ID do evento 4720: uma conta de usuário foi criada:
4720: A user account was created
The user identified by Subject: created the user identified by New Account:.
Attributes show some of the properties that were set at the time the account was created. Notice account is initially disabled.
This event is logged both for local SAM accounts and domain accounts.
You will see a series of other User Account Management events after this event as the remaining properties are punched down, password set and account finally enabled.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Consulte o link da fonte abaixo para ver uma lista completa de categorias e subcategorias do evento.
Fonte 4720: Uma conta de usuário foi criada
Como descubro quem adicionou um usuário ao grupo local de administradores?
Procure a ID do Evento 4732: um membro foi adicionado a um grupo local habilitado para segurança:
4732: A member was added to a security-enabled local group
The user in Subject: added the user/group/computer in Member: to the Security Local group in Group:.
This event is logged on domain controllers for Active Directory domain local groups and member computer for local SAM groups. You can determine if the group is a domain or SAM group by comparing Group Domain: to the Computer: name. If they match you have a SAM group, if they differ you have a domain group.
Active Directory
- In Active Directory Users and Computers "Security Enabled" groups are simply referred to as Security groups. AD has 2 types of groups: Security and Distribution. Distribution (security disabled) groups are for distribution lists in Exchange and cannot be assigned permissions or rights. Security (security enabled) groups can be used for permissions, rights and as distribution lists. A domain local group means the group can only be granted access to objects within its domain but can have members from any trusted domain.
Local SAM
- All groups are security groups in the computer's SAM. Local SAM groups can be granted access to objects on the local computer only but may have members from the local SAM and any trusted domain.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Consulte o link da fonte abaixo para ver uma lista completa de categorias e subcategorias do evento.
Fonte 4732: Um membro foi adicionado a um grupo local habilitado para segurança