We are running a native 2008 R2 Single domain forest. We have four DC's in our data center. When I check on the default Domain controller Policy, the Local Policies/Audit Poilicies are set to: Audit account Management: Success/Failure. I have verified that the DC's actually have this turned on. However when I try to filter the Security Log on any of the DC's to look for password change related events (Event ID 627/628) I cannot find any logged events. We have close to 30000 users in our AD and according to the logs no one has changed their password. (Which is known to not be true). Any suggestions on where I can look to figure this out? We want to delegate Password Reset/Unlocking rights to specific users, but we need to be able to log it fully. Thanks Mike

Well I just found out the security event ID's have changed in 2008. The new events are 4723/4724.

Yes, the Event IDs were changed in Windows Server 2008. For more events about User Account Management in Windows Server 2008 and Windows Server 2008 R2, please refer to the following articles: Audit User Account Management http://technet.microsoft.com/en-us/library/dd772693(WS.10).aspx Description of security events in Windows Vista and in Windows Server 2008 http://support.microsoft.com/kb/947226 Hope it helps. Regards, Bruce

I have some questions however. I have created custom views on all of our DC's. The custom view is set to display events from any time, security log, and all events matching ids: 4723,4724,4740,4767. It's only showing events from today. It's not even showing events that were there on Friday anymore. The security log on each server is around 250k events each. It's set to overwrite as needed, but it wouldn't be overwriting events from last week. We have have account management logging turned on since August when we deployed the new servers. We should be seeing hundreds or thousands of these events but we are not. Logging appears to we working however as if I do something now, it shows up in the logs, but I cannot figure out where the old events are, plus I need to make sure that new events don't dissappear as well. Any suggestions on where I should start looking?

Hi, Please filter the Security Log to check if you can find the old events. Also check the date of the oldest security log. Meanwhile, in Event Viewer, right click on Security log -> Properties. Check the current log size and the Maximum log size. For your convenience, here are the recommended settings of event log sizes: Recommended settings for event log sizes in Windows Server 2003, Windows XP, Windows Server 2008 and Windows Vista http://support.microsoft.com/kb/957662 Regards, Bruce

Hi Is there any update about this problem? Please let us know if you would like further assistance. Have a great day! This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I haven't had a chance to look at this again until now. It looks like we are auditing log on and log off. The security log is filled up in a matter of hours. I will have to look into changing the log size as per the article you linked. Thanks