We're getting ready to monitor our Windows Server 2003 domain controllers (DCs) for reenablement of formerly disabled user accounts (event ID 626—user account enabled) and password resets (event ID 628—user account password set). Are there any caveats of which we should be aware?
Yes. Windows logs a spurious instance of both these events during account creation because the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in initially creates an account in disabled status, then fills in the account's properties, then sets the account's password and enables the account. User account creations create a telltale pattern in the Security log of event ID 624 (user account created), followed by several instances of event ID 642 (user account changed) interspersed with event IDs 626 and 628. Therefore, you can ignore instances of event ID 626 and 628 that are preceded by event ID 624 in close proximity for the same account because these instances will be associated with account creations rather than reenablements