| Events |
Windows 2008 |
| |
Security Group Management |
| Event ID |
Title |
| 4727 |
A security-enabled global group was created. |
| 4728 |
A member was added to a security-enabled global group. |
| 4729 |
A member was removed from a security-enabled global group. |
| 4730 |
A security-enabled global group was deleted. |
| 4731 |
A security-enabled local group was created. |
| 4732 |
A member was added to a security-enabled local group. |
| 4733 |
A member was removed from a security-enabled local group. |
| 4734 |
A security-enabled local group was deleted. |
| 4735 |
A security-enabled local group was changed. |
| 4737 |
A security-enabled global group was changed. |
| 4754 |
A security-enabled universal group was created. |
| 4755 |
A security-enabled universal group was changed. |
| 4756 |
A member was added to a security-enabled universal group. |
| 4757 |
A member was removed from a security-enabled universal group. |
| 4758 |
A security-enabled universal group was deleted. |
| 4764 |
A groups type was changed. |
| |
|
| |
User Account Management |
| Event ID |
Title |
| 4720 |
A user account was created. |
| 4722 |
A user account was enabled. |
| 4723 |
An attempt was made to change an account’s password. |
| 4724 |
An attempt was made to reset an accounts password. |
| 4725 |
A user account was disabled. |
| 4726 |
A user account was deleted. |
| 4738 |
A user account was changed. |
| 4740 |
A user account was locked out. |
| 4767 |
A user account was unlocked. |
| 4780 |
The ACL was set on accounts which are members of administrators groups. |
| 4781 |
The name of an account was changed: |
| 4794 |
An attempt was made to set the Directory Services Restore Mode administrator password |
| 5376 |
Credential Manager credentials were backed up. |
| 5377 |
Credential Manager credentials were restored from a backup. |
| |
|
| |
Distribution Group Management |
| Event ID |
Title |
| 4744 |
A security-disabled local group was created. |
| 4745 |
A security-disabled local group was changed. |
| 4746 |
A member was added to a security-disabled local group. |
| 4747 |
A member was removed from a security-disabled local group. |
| 4748 |
A security-disabled local group was deleted. |
| 4749 |
A security-disabled global group was created. |
| 4750 |
A security-disabled global group was changed |
| 4751 |
A member was added to a security-disabled global group. |
| 4752 |
A member was removed from a security-disabled global group. |
| 4753 |
A security-disabled global group was deleted. |
| 4759 |
A security-disabled universal group was created. |
| 4760 |
A security-disabled universal group was changed. |
| 4761 |
A member was added to a security-disabled universal group. |
| 4762 |
A member was removed from a security-disabled universal group. |
| 4763 |
A security-disabled universal group was deleted. |
| |
|
| |
Application Group Management |
| Event ID |
Title |
| 4783 |
A basic application group was created. |
| 4784 |
A basic application group was changed. |
| 4785 |
A member was added to a basic application group. |
| 4786 |
A member was removed from a basic application group. |
| 4787 |
A non-member was added to a basic application group. |
| 4788 |
A non-member was removed from a basic application group. |
| 4789 |
A basic application group was deleted. |
| 4790 |
An LDAP query group was created. |
| 4791 |
A basic application group was changed. |
| 4792 |
An LDAP query group was deleted. |
| |
|
| |
|
| |
System State Change |
| Event ID |
Title |
| 4608 |
Windows is starting up |
| 4609 |
Windows is shutting down |
| 4616 |
The system time was changed. |
| |
|
| |
Policy Auditing |
| 4719 |
System audit policy was changed. |
| 4739 |
Domain Policy was changed. |
Zero Day IT - Peter V Nguyen 