Auditor Help: Common 2000/2003 Auditing Event Codes

This information has been provided from Microsoft's documentation on auditing event codes.

Category Description Event Code
Account Management User Account Created 624
Account Management User Account Changed 642
Account Management User Account Deleted 630
Account Management User Account Disabled 629
Account Management Change Password 627
Account Management User Account Password set 628
Account Management Security Enabled Local Group created 635
Account Management Security Enabled Local Group deleted 638
Account Management Security Enabled Local Group changed 639
Account Management Security Enabled Local Group Member added 636
Account Management Security Enabled Local Group Member removed 637
Account Management Security Enabled Global Group Member added 632
Account Management Security Enabled Global Group Member removed 633
Account Management Security Enabled Universal Group Member added 660
Account Management Security Enabled Universal Group Member removed 661
Account Management User account locked out 644
Account Management Group Type changed 668
Logon Event Successful logon 528
Logon Event Logon failure - Unknown user or bad password 529
Logon Event Logon failure - Logon time restriction violation 530
Logon Event Logon failure - Account currently disabled 531
Logon Event User account expired 532
Logon Event User not allowed to logon on this computer 533
Logon Event Password Expired 535
Object Access Object Access Attempt 567
Object Access Object Open 560
Object Access Object Deleted 564
Object Access Handle Closed 562
Policy Change Policy Changed 612
Policy Change Trusted Domain added 610
Policy Change Trusted Domain removed 611
Policy Change IPSEC Policy agent started 613
Policy Change IPSEC Policy agent disabled 614
Policy Change Kerberos Policy changed 617
Policy Change Encrypted Data recovery policy changed 618
System Events Computer Shutdown/Restarted 513
System Events Previous shutdown was clean 6006
System Events Restart was unexpected 6008
System Events Restart due to blue screen 1001
System Events Audit log was cleared 517

Resource More information about Windows security events codes can be found in Microsoft’s Knowledge base articles: 299475 and 301677.