ACS Audit Report for Account Created, Deleted, Enabled and/or Disabled
ACS Audit Report for Account Created, Deleted, Enabled and/or Disabled
First you need to be ready with the Event ID’s of the required activities
Second, based on the Security Events Scheme, because each parameter in the event is written in a specific column in the ACS database tables, not all the events have the same scheme, i.e. User Account Enabled, Disabled, Created and deleted have the same scheme, but the account lockout might be different (need to check it)
So, for the following activities (User Account Enabled, Disabled, Created and deleted) we can create one report
- Open ACS Reporting Web:
https:// <<servername>> /reports
- Open Report Builder
- Open from Report Server | Select Audit Reports | Account Management_-_User_Account_Created | Open
- Design Report: Selected fields>>
- Logon Time as Date/Time
- Event ID as Action (Event ID)
- Right Click Action (Event ID) | Edit Formula as follows:
- Target User as Affected Account
- Primary User as Action By
- Event Machine as Domain Controller
- Open Filter
a) Create New Data Field
b) The report looks for events 624 (Account Created) or 630 (Account Deleted) or 626 (Account Enabled) and 629 (Account Disabled) on (Windows 2003) and 4720 (Account Created)or 4726 (Account Deleted)or 4722 (Account Enabled) and 4725 (Account Disabled) on (Windows Server 2008)
- Save As the report
- Open it from the SQL Server Reporting Services Web
- Sample of the output
