Security Events Are Not Logged During Audit

 Last reviewed: November 5, 1997
Article ID: Q173059
The information in this article applies to:
  • Microsoft Windows NT Server version 4.0
  • Microsoft Windows NT Workstation version 4.0

SYMPTOMS

When audit policies are set to log User and Group Management events, some Event IDs are not recorded in the event log when the event to which they refer occurs.

CAUSE

The following Events should be recorded when auditing User and Group Management events:

  • Event ID 625: User Account Type Change (Indicates that a user account's type has been changed)
  • Event ID 626: User Account Enabled (Indicates that a user account has been enabled)
  • Event ID 628: User Account password set (Indicates that a user account's password has been set)
  • Event ID 629: User Account Disabled (Indicates that a user account has been disabled)
  • Event ID 640: General Account Database Change (Indicates that a change has been made to the Security Account Manager [SAM] database)

All of these events are logged as Event ID 642: User Account Changed, and the record indicates that a change has been made to a User Account.

STATUS

Microsoft has confirmed this to be a problem in Windows NT. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

Additional query words: prodnt secevent sec audit logged logging
Keywords : kbbug4.00 ntdocerr ntdomain ntsecurity NTSrvWkst
Version : WinNT:4.0
Platform : winnt
Hardware : x86
Issue type : kbbug kbdocerr
Solution Type : kbpending

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 5, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.