Security Events Are Not Logged During Audit

This article was previously published under Q173059
This article has been archived. It is offered "as is" and will no longer be updated.
When audit policies are set to log User and Group Management events, someEvent IDs are not recorded in the event log when the event to which theyrefer occurs.
The following events should be recorded when auditing User and GroupManagement events:
  • Event ID 625: User Account Type Change
    (Indicates that a user account's type has been changed)

  • Event ID 626: User Account Enabled
    (Indicates that a user account has been enabled)

  • Event ID 628: User Account password set
    (Indicates that a user account's password has been set)

  • Event ID 629: User Account Disabled
    (Indicates that a user account has been disabled)

  • Event ID 640: General Account Database Change
    (Indicates that a change has been made to the Security Account Manager [SAM] database)
All of these events are logged as Event ID 642: User Account Changed, andthe record indicates that a change has been made to a User Account.
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0,Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest WindowsNT 4.0 Service Pack

Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0,Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NTServer 4.0, Terminal Server Edition Service Pack 4.
secevent sec audit lo gged logging

Article ID: 173059 - Last Review: 10/07/2013 05:18:23 - Revision: 1.2

Microsoft Windows NT Server 4.0, Terminal Server Edition, Microsoft Windows NT Server 4.0 Standard Edition, Microsoft Windows NT Workstation 4.0 Developer Edition

  • kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbfix kbwinnt400sp4fix KB173059