Windows Server 2003 Domain Controller Security
Use this SAM application monitor template to check for locked and /or disabled users, as well as Windows security events from in relation to Windows 2003 Domain Controller security.
- WinRM is installed and properly configured on the target server. See Enable remote access for PowerShell with WinRM.
- WMI access to the target server.
- Auditing on domain controller (success and failure) must be enabled for the following items: Account Management, Logon Events, Policy Changes and System Events.
To learn how to enable auditing, see Upgrade Domain Controllers (© Microsoft Corp., available at
, obtained on December 31, 2018).
Administrator on target server.
All monitors, except Locked out users and Disabled users, should return zero values. Returned values other than zero may indicate an abnormality. If you believe an abnormality exists, you should examine the Windows security log for details.
Locked out users
The number of currently locked out users. Set the threshold value according to your requirements.
The number of currently disabled users. Set the threshold value according to your requirements.
User Account: Creating a user account
The number of events generated from creating new user accounts.
Event ID: 624.
Only authorized people and processes should create network accounts. Examine the Primary User Name field to detect whether an authorized person or process created an account. This event also detects if administrators create accounts outside organizational policy guidelines.
User Account: Deleting a user account
The number of events generated from deleting user accounts.
Event ID: 630.
Only authorized people and processes should delete network accounts. Search for these events and examine the Primary Account Name field to detect if unauthorized people have deleted accounts.
User Account: Changing a user account
The number of events generated from changes that were made to security-related properties of user accounts.
Event ID: 642.
User Account: Change password attempt
The number of account password change attempts.
Event ID: 627.
This event results from a password change request in which the user supplies the original password to the account. Compare Primary Account Name to Target Account Name to determine whether the account owner or someone else attempted to change the password. If Primary Account Name does not equal Target Account Name, someone other than the account owner tried to change the password.
User Account: Password set or reset
The number of times a user or process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.
Event ID: 628.
Only authorized people or processes should carry out this process, such as help desk or user self-service password reset.
Logon Failure: Unknown user name or password
The number of failed login attempts with an incorrect username and/or password.
Event ID: 529.
Check for attempts where Target Account Name equals Administrator or the renamed default administrator account. Check multiple logon failures that are below the account lockout threshold.
Logon Failure: Disabled account
The number of failed login attempts using a disabled account.
Event ID: 531.
Always investigate this event. Check Target Account Name value and Workstation Name. This event can signal attempted abuse by former internal users.
Logon Failure: Expired account
The number of failed login attempts using an expired account.
Event ID: 532.
Always investigate this event. This event can signal attempted abuse by contractors or temporary internal users.
Logon Failure: Logon type not allowed
The number of failed attempts to log on interactively with service account credentials when Group Policy settings prevent that account from interactive logon.
Event ID: 534.
Logon Failure: Account locked out
The number of failed login attempts using an account that has been locked out.
Event ID: 539.
Correlate with Event 529 to detect a pattern of continued lockouts.
Logon Failure: User account automatically locked
The number of accounts that were automatically locked out.
Event ID: 644.
A user account has been locked out because the number of sequential failed logon attempts is greater than the account lockout limit.
Logon Failure: Time restrictions
The number of attempts to logon outside the permitted times.
Event ID: 530.
Check User Account Name and Workstation Name.
Logon Failure: Replay attack detected
The number of detected attempts by the authentication package to log on by replaying a user's credentials.
Event ID: 553.
Investigate immediately. Alternatively, this could be a sign of improper network configuration.
System: Change directory services restore mode password
The number of attempts to change the Directory Services Restore Mode password on a domain controller.
Event ID: 698.
Check Workstation IP and Account Name and investigate immediately.
System: Windows is shutting down
The number of times Windows goes to shut down.
Event ID: 513.
Usually appears before Event 512. On high-value computers, authorized personnel should restart computers in accordance with established policies. Investigate immediately when this event occurs on any server.
System: Clearing the security event logs
The number of times security logs have been cleared.
Event ID: 517.
Administrators should not clear security event logs without authorization. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.
System: Changing system time
The number of times the system time has been changed.
Event ID: 520.
This action can mislead forensic investigation or provide an attacker with a false alibi. The process name is %windir %\system32\svchost.exe. Check Client User Name and Client Domain, then cross-correlate with authorized personnel.
System: Changing audit policy
The number of times audit policies have been changed.
Event ID: 612.
This event does not necessarily indicate a problem. However, an attacker can change audit policy as part of a computer system attack. You should monitor for this event on high value computers and domain controllers.
System: Changing the domain security policy
The number of attempts to modify a password policy or other domain security policy settings.
Event ID: 643.
Check user name of subject and correlate with authorization.