Hi SA community,
I am trying to create an alert in order to be informed when the windows domain-admin changes a user-account for "never-expire"..
This is logged via event-id 4738 (security) in fact.
This event has many attributes though, the one related with my alert is under "User Account Control" attribute --> 'Don't Expire Password'
I wonder if SA keeps the related metadata of event-id 4738 ??
Has anyone experienced this kind of situation ??
Here is an example of such event:
A user account was changed. Subject: Security ID: NTD_xxx/Andyxxx Account Name: Andyxxx Account Domain: NTD_xxx Logon ID: 0xe8d8873 Target Account: Security ID: NTD_xxx/E_ATxxx Account Name: E_ATxxx Account Domain: NTD_xxx Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x210 User Account Control: 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -