| TABLE 1: Win2K Audit Categories and Primary Event IDs |
| Category |
Event ID |
Description |
| Audit account logon events |
672 |
Authentication ticket granted |
| |
673 |
Service ticket granted |
| |
674 |
Ticket granted renewed |
| |
675 |
Preauthentication failed |
| |
676 |
Authentication ticket request failed |
| |
677 |
Service ticket request failed |
| |
680 |
Account used for logon |
| |
681 |
NTLM authentication request failed |
| Audit account management |
624 |
User object created |
| |
630 |
User object deleted |
| |
631 |
Global group added |
| |
632 |
Member added to Global group |
| |
633 |
Member removed from Global group |
| |
634 |
Global group deleted |
| |
635 |
Local group added |
| |
636 |
Member added to Local group |
| |
637 |
Member removed from Local group |
| |
638 |
Local group deleted |
| |
639 |
Local group changed |
| |
641 |
Global group changed |
| |
642 |
User object changed |
| |
644 |
User account locked out |
| |
645 |
Computer object added |
| |
646 |
Computer object changed |
| |
647 |
Computer object deleted |
| |
658 |
Universal group added |
| |
659 |
Universal group changed |
| |
660 |
Member added to Universal group |
| |
661 |
Member removed from Universal group |
| |
662 |
Universal group deleted |
| |
668 |
Group type changed |
| Audit directory service access |
565 |
Information about accessed objects in AD |
| Audit logon events |
528 |
Successful logon |
| |
529 |
Failed logon (unknown username or bad password) |
| |
530 |
Failed logon (account logon time restriction violation) |
| |
531 |
Failed logon (account disabled) |
| |
532 |
Failed logon (account expired) |
| |
533 |
Failed logon (user not permitted to log on at machine) |
| |
534 |
Failed logon (user hasn't been granted requested logon type at machine) |
| |
535 |
Failed logon (password expired) |
| |
537 |
Failed logon (unspecified error) |
| |
538 |
Successful logoff |
| |
538 |
Successful logoff |
| |
539 |
Failed logon (account locked out) |
| |
540 |
Successful network logon |
| Audit object access |
560 |
Object opened |
| |
562 |
Handle closed |
| Audit policy change |
608 |
User right assigned |
| |
609 |
User right removed |
| |
610 |
New trusted domain |
| |
611 |
Removing trusted domain |
| |
615 |
IPSec policy changed (Event Viewer lists this event under the Audit process tracking category) |
| |
616 |
IPSec policy agent encountered a potentially serious failure (Event Viewer lists this event under the Audit process tracking category) |
| |
617 |
Kerberos policy changed |
| |
618 |
Encrypted data recovery policy changed |
| |
620 |
Trusted domain information modified |
| Audit privilege use |
576 |
Special privileges assigned to new logon |
| |
577 |
Privileged service called |
| |
578 |
Privileged object operation |
| Audit process tracking |
592 |
New process has been created |
| Audit process tracking |
593 |
A process has exited |
| Audit system events |
512 |
Windows NT is starting up |
| |
513 |
Windows NT is shutting down (Win2K doesn't log this event accurately) |
| |
514 |
Authentication package has been loaded by the Local Security Authority (LSA) |
| |
515 |
Trusted logon process has registered with the LSA |
| |
517 |
Audit log was cleared |
| |
518 |
The SAM has loaded a notification package |