![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 38%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
7,023 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello Allison Suter, Thank you for posting in Q&A forum. Do you only need to view successful cases, or do you need to view both successful and failed cases simultaneously? For example, when creating an account, you only need to check whether the account creation was successful or failed. If you only view successful cases, there is no need to set other policies and you can directly view them in the security log in the Event Viewer. If you need to view failed cases, you can set policies according to the following actions. You can try enabling the audit policy to view information, following the steps: Open the Group Policy Management console. Locate your domain controller policy, usually the path is "Forest ->Domains ->Domain Name ->Domain Controllers". Right click on your domain controller policy and select "Edit". In "Computer Configuration" ->"Policies" ->"Windows Settings" ->"Security Settings" ->"Local Policies" ->"Audit Policies", you need to enable the following audit settings: Audit account management events After enabling the audit policy, relevant events will be recorded after you create AD account or unlock AD account or reset AD user password in the Event Viewer.
Note: 1.Because there are legacy audit policy and dvanced audit policies. 2.If you have never configured any advanced audit policy before, then you configure the legacy audit policy. 3.If you have configured any advanced audit policy before, then you have configured the advanced audit policy. 4.Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default. Open the Event Viewer on the domain controller and view the Security log. I have listed the case IDs that you need to view in your question. 4720(S): A user account was created. 4724(S, F): An attempt was made to reset an account's password. 4767(S): A user account was unlocked. I hope the information above is helpful. If you have any questions or concerns, please feel free to let us know. Best Regards, Daisy Zhou
If the Answer is helpful, please click "Accept Answer" and upvote it.