Share via


Audit Computer Account Management

Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.

This policy setting is useful for tracking account-related changes to computers that are members of a domain.

Event volume: Low on domain controllers.

This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.
Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.
Typically volume of these events is low on domain controllers.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server No No No No This subcategory generates events only on domain controllers.
Workstation No No No No This subcategory generates events only on domain controllers.

Events List:

  • 4741(S): A computer account was created.

  • 4742(S): A computer account was changed.

  • 4743(S): A computer account was deleted.