Quickly identify Windows Server 2003 Security event ID information

Source: Internet
Author: User
Keywords Security account disable delete nbsp;

&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp; The following IDs can help us quickly identify security events generated by the Microsoft Windows Server 2003 operating system, and what exactly that means is what happened.

Account logon events

The security events generated by the Audit account logon events security template settings are shown below.
672: The Authentication Service (as) ticket was successfully issued and validated ...
673: The Authorization Ticket Service (TGS) ticket is authorized. TGS is a ticket issued by the Kerberos V5 ticket Authorization Service (TGS), allowing users to authenticate specific services in the domain.
674: The security principal has updated the as ticket or TGS ticket.
675: Pre-authentication failed. The Key Distribution Center (KDC) generates this event when the user types the wrong password.
676: Authentication ticket request failed. This event is not generated in Windows XP Professional or members of the Windows Server family.
677:TGS ticket is not authorized. This event is not generated in Windows XP Professional or members of the Windows Server family ...
678: The account was successfully mapped to a domain account.
681: Login failed. Attempt to log on to a domain account. This event is not generated in Windows XP Professional or members of the Windows Server family.
682: The user has reconnected to a disconnected Terminal Server session.
683: The user disconnects the Terminal Server session without logging off.

Ii. Account Management Events

The security events generated by the Audit account Management security template setting are shown below.
624: User account created.   
    627: User password changed.
    628: User password set.
630: The user account has been deleted.
631: Global group created.
632: Members have been added to global groups.  
633: Members have been removed from the global group.
634: Global group deleted.  
635: A new local group has been created.
636: Members have been added to the local group.
637: The member has been removed from the local group.
638: The local group has been deleted.
639: The local group account has changed.
641: The global group account has changed.
642: User account changed.
643: The domain policy has been modified.
644: The user account is automatically locked.
645: The computer account has been created.
646: The computer account has changed.
647: The computer account has been deleted.
648: A security-disabled local security group has been created.
Note:.
from a formal name, security_disabled means that the group cannot be used to authorize access checks.
649: A security-disabled local security group has changed.
650: Members have been added to a security-disabled local security group.  
651: Members have been removed from a security-disabled local security group.
652: A security-disabled local group has been removed.
653: A security-disabled global group has been created.
654: A security-disabled global group has changed.
655: Members have been added to a security-disabled global group.
656: The member has been removed from a security-disabled global group.
657: A security-disabled global group has been removed.  
658: A security-enabled universal group has been created.
659: A security-enabled universal group has changed.
660: Members have been added to a security-enabled universal group.
661: The member has been removed from a security-enabled universal group.
662: A security-enabled universal group has been deleted.
663: A security-disabled universal group has been created.
664: A security-disabled universal group has changed.  
665: Members have been added to a security-disabled universal group.
666: Member has been from a security-disabled universal groupDelete.
667: A security-disabled universal group has been removed.
668: The group type has changed.
684: The security descriptor for the members of the administrative group is set.
Note:
on a domain controller, every 60 minutes, a background thread searches all members of the administrative group (such as Domain, enterprise, and schema administrators) and applies a fixed security descriptor to it. The event is logged.
685: Account name has changed.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.