Run gpedit.msc → Create a new GPO → Edit it : Go to "Computer
Configuration" → Policies → Windows Settings → Security Settings → Local
Policies > Audit Policy:
Audit account management → Define → Success.
Go to Event Log → Define:
Set the maximum security log size
Set the retention method for the security log to "Overwrite events as needed".
Link GPO to OU with User Accounts
Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the created GPO.
Force a Group Policy update
In the "Group Policy Management" → Right-click the defined OU → Click "Group Policy Update".
Enable auditing for the domain using ADSI
Run adsiedit.msc → Connect to the Default naming context → Right-click the domain DNS object with the name of your domain → Click Properties → Select the Security (Tab) → Click Advanced (Button) → Select Auditing (Tab) → Add the principal "Everyone" → Type "Success" → Apply this to "This object and descendant objects" → Click Permissions → Select all check boxes except the following:
"Full control",
"List contents",
"Read all properties",
"Read permissions"
→ Click "OK"
Find Who disabled a AD user account
Open Event Viewer and search the security log for event ID 4722 (a user account was enabled)
Audit account management → Define → Success.
Go to Event Log → Define:
Set the maximum security log size
Set the retention method for the security log to "Overwrite events as needed".
Link GPO to OU with User Accounts
Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the created GPO.
Force a Group Policy update
In the "Group Policy Management" → Right-click the defined OU → Click "Group Policy Update".
Enable auditing for the domain using ADSI
Run adsiedit.msc → Connect to the Default naming context → Right-click the domain DNS object with the name of your domain → Click Properties → Select the Security (Tab) → Click Advanced (Button) → Select Auditing (Tab) → Add the principal "Everyone" → Type "Success" → Apply this to "This object and descendant objects" → Click Permissions → Select all check boxes except the following:
"Full control",
"List contents",
"Read all properties",
"Read permissions"
→ Click "OK"
Find Who disabled a AD user account
Open Event Viewer and search the security log for event ID 4722 (a user account was enabled)
EmoticonEmoticon