eG Monitoring
 

Measures reported by ADAcMgmtEvtTest

The addition of new users/computers/groups to an Active Directory domain, changes to existing user/computer/group accounts, and deletion of accounts are important to verify that they were performed only by authorized personnel and with no malicious intent. To track such operations, “Audit account management events” provides specific event IDs. Using the ADAcMgmtEvtTest test, you can continuously track events with the event IDs grouped under Audit account management events, and be proactively alerted to the sudden addition/modificiation/deletion of users/groups/computers in the Active Directory. You can also use the detailed diagnosis of the test to know which user performed the addition/modification/deletion and when.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Admin_rst_pwd Indicates the number of times the user password was changed by the administrator since the last measurement period. Number Typically, such an event occurs when the administrator attempts to change some other user's password in response to a ‘forgot password’ call.

You can use the detailed diagnosis of this measure to know which admin user attempted the password change on which computer.
User_rst_pwd Indicates the number of times the user password was changed by the users themselves since the last measurement period. Number You can use the detailed diagnosis of this measure to know which user attempted the password change on which computer.
User_acc_created Indicates the number of user accounts that have been created since the last measurement period. Number New user accounts are important to audit to verify that they correspond to a legitimate employee, contractor or application. Outside intruders often create new user accounts to facilitate continued access to the penetrated system. Therefore, you need to eye any sudden increase in the value of this measure with suspicion. You can use the detailed diagnosis of this measure to know which user created new users on which computer.
User_acc_deleted Indicates the number of user accounts that have been deleted since the last measurement period. Number You can use the detailed diagnosis of this measure to know which user deleted user accounts on which computer.
User_acc_changed Indicates the number of times the user account has been changed since the last measurement period. Number Certain changes to user accounts are important to audit since they can be a tip-off to compromised accounts. For instance, both insider and outsider computer criminals often gain access to a system by socially engineering the help desk to a user's password. Or a previously disabled account being re-enabled may be suspicious depending on the history and type of the account.

You can use the detailed diagnosis of this measure to know which user made changes to user accounts on which computer.
Comp_acc_created Indicates the number of times computer accounts have been created since the last measurement period. Number You can use the detailed diagnosis of this measure to know which user created computer accounts on which computer.
Comp_acc_deleted Indicates the number of computer accounts that have been deleted since the last measurement period. Number You can use the detailed diagnosis of this measure to know which user deleted computer accounts on which computer.
Comp_acc_changed Indicates the number of times the computer accounts that have been changed since the last measurement period Number You can use the detailed diagnosis of this measure to know which user changed computer accounts on which computer.
UserORComp_obj_del Indicates the number of times the user/computer object was disabled during the last measurement period. Number You can use the detailed diagnosis of this measure to know which user disabled user/computer objects on which computer.
UserORComp_obj_enb Indicates the number of times the user/computer object was enabled during the last measurement period. Number You can use the detailed diagnosis of this measure to know which user enabled user/computer objects on which computer
User_addedto_SG Indicates the number of users who were added to the security group during the last measurement period. Number Group changes, especially changes to the group's membership, are very useful to track since groups are used to control access to resources, link security policies and control wireless and remote access all over a Windows network.

Security groups are the only group type that you can assign permissions and rights. Security groups are referred to as “security enabled” groups in the security log.

You can use the detailed diagnosis of this measure to know which user added users to the security group on which computer.
SG_deleted Indicates the number of security groups that were deleted during the last measurement period. Number You can use the detailed diagnosis of this measure to know which user deleted security groups on which computer.
SG_created Indicates the number of security groups that were created during the last measurement period. Number You can use the detailed diagnosis of this measure to know which user created security groups on which computer.
SG_changed Indicates the number of security groups that were changed during the last measurement period. Number You can use the detailed diagnosis of this measure to know which user changed security groups on which computer.