Rogue system administrator accounts

[sraveendran]

Hi

Does anyone know if there is a way to find out who created a user? (already know the date created) we have serious problem here I think I know who created a load of admin accounts on the server (Windows Server 2003)but he is denying it any help would be appreciated.

Thanks

 

[itsp1965]

If you have auditing enabled on your server you should be able to track the following event's
624 User account created
639 Security enabled local group changed

Hope this helps

 

[sraveendran]

Thanks for the reply, Please see below my Auditing options. I can seem to find EVT 624 and its only show for 10/12/2007 to 11/12/2007

Audit Account management set to Success/failure

Audit Policy Change set to Success/failure

Audit Process tracking set to No Auditing

Everthing else set to failure

Is this correct setup to identify the account creator?

Thanks

 

[itsp1965]

I would also audit privilege use. As for why your logs only show a month's worth of data is because of your event log settings. I usually set the security log to a size of 528MB and to delete records every 60 days