This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed:

• A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
• A user account password is set or changed.
• Security identifier (SID) history is added to a user account.
• The Directory Services Restore Mode password is set.
• Permissions on accounts that are members of administrators groups are changed.
• Credential Manager credentials are backed up or restored.

This policy setting is essential for tracking events that involve provisioning and managing user accounts.

Event volume: Low

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

• 4720: A user account was created.
• 4722: A user account was enabled.
• 4723: An attempt was made to change an account's password.
• 4724: An attempt was made to reset an account's password.
• 4725: A user account was disabled.
• 4726: A user account was deleted.
• 4738: A user account was changed.
• 4740: A user account was locked out.
• 4765: SID History was added to an account.
• 4766: An attempt to add SID History to an account failed.
• 4767: A user account was unlocked.
• 4780: The ACL was set on accounts which are members of administrators groups.
• 4781: The name of an account was changed:
• 4794: An attempt was made to set the Directory Services Restore Mode.
• 5376: Credential Manager credentials were backed up.
• 5377: Credential Manager credentials were restored from a backup.