User Account Permissions changed...

I have searched the group and the web but havent found the specifics to where
I can find the answer to my question.

Where in Event viewer can I find what account was used to change a users
account group? The user was added to the local machine as an administrator.
I have searched Event Viewer but cannot find it in the logs. What is the
event ID for an account permission change?

Thanks for your help. Also, if this has been answered before, please post
the link.

Jeremy

I don't think changing a user account type is logged in the event viewer. It
would take an admin account to perform this type of action.

--

Ronnie Vernon
Microsoft MVP
Windows Shell/User


"Jeremy Mitchell" <> wrote in
message news:1A4A358B-A1F5-4236-B1A7-...
>I have searched the group and the web but havent found the specifics to
>where
> I can find the answer to my question.
>
> Where in Event viewer can I find what account was used to change a users
> account group? The user was added to the local machine as an
> administrator.
> I have searched Event Viewer but cannot find it in the logs. What is the
> event ID for an account permission change?
>
> Thanks for your help. Also, if this has been answered before, please post
> the link.
>

Ronnie,

Thanks for the response. After further investigation, if I am not mistaken,
I believe this event would only be logged if the "Audit account Management"
subcategory is enabled in the Local Security Policy on each PC, or the parent
Audit Policy was enabled, which would turn on all auditing events. The IT
person who elevated the user's permissions does have domain admin rights. I
just wanted to try and find concrete evidence.

From what I have read, when all auditing features are enabled, you should be
able to go back and find anything that was done on the pc. This is not a
best practice for most, however.

"Ronnie Vernon MVP" wrote:

> Jeremy
>
> I don't think changing a user account type is logged in the event viewer. It
> would take an admin account to perform this type of action.
>
> --
>
> Ronnie Vernon
> Microsoft MVP
> Windows Shell/User

Jeremy

Your assessment appears to be correct. Like you said, it's not considered a
best practice, but if there is a problem this would be a good way to resolve
it.

--

Ronnie Vernon
Microsoft MVP
Windows Shell/User


"Jeremy Mitchell" <> wrote in
message news38FFD8C-EFE5-4E0E-8D53-...
> Ronnie,
>
> Thanks for the response. After further investigation, if I am not
> mistaken,
> I believe this event would only be logged if the "Audit account
> Management"
> subcategory is enabled in the Local Security Policy on each PC, or the
> parent
> Audit Policy was enabled, which would turn on all auditing events. The IT
> person who elevated the user's permissions does have domain admin rights.
> I
> just wanted to try and find concrete evidence.
>
> From what I have read, when all auditing features are enabled, you should
> be
> able to go back and find anything that was done on the pc. This is not a
> best practice for most, however.
>
> "Ronnie Vernon MVP" wrote:
>
>> Jeremy
>>
>> I don't think changing a user account type is logged in the event viewer.
>> It
>> would take an admin account to perform this type of action.
>>
>> --
>>
>> Ronnie Vernon
>> Microsoft MVP
>> Windows Shell/User
>