UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 624 - User Account Created

New Users - No 624 event generated

bladerunner — Wed, 14 Sep 2011 11:12:49 GMT

I am attempting to create a report in our new SIEM that will run each week and display all new users accounts created in that week. I built a custom query to look for 624 events. I sat down with one of our account provisoners to verify my query results against the actual accounts they created. I am only catching half of the accounts. I took the list of names of users my report missed and built a quick query looking for all relevant events. All came back with 642s and and 628s, which I know are often generated by a 624 event. Any idea why there are no 624s? I am just querying our DC's which all have the same level of logging. I also ruled out 2008 machines (4072 events I believe). Any thoughts?

Privileges field in Account Management events

jsilver — Tue, 17 Nov 2009 04:30:27 GMT

The field "Privileges" in most of the Account Management events is most of the time empty. Does anyboe have any idea of whose privileges this is supposed to display?

E.g. 624 - User Account Created. Does it show the privileges granted to the created user at the moment of account creation or on the other hand the privileges of the account initiating this action?

I googled the entire internet and MSDN but failed to find anything on this topic.

Would be grateful if someone could shed some light on this.

Thanks in advance.

administrator privilege

Gcetech — Wed, 11 Aug 2010 10:01:02 GMT

Hello,

i'm french and my english is not perfect. I work on a RSA Envision plateform and I want to make a report with event viewer log with the create user and also the administror privilege.

I use the eventid 624, but i dont know where I can see if this user is administrator. In witch Eventid can I have find this reference.

I use also eventid 684 but i haven't also the administrator users.

thank you