Multiple Events for Successful Account Creation

Here is the pattern you should expect to see when creating a local account. For domain accounts, you may also see some DS Access events as the account is created and the various properties are set.

560 SAM_DOMAIN handle open for CreateUser access
632 Add user to global group "None" <--- see previous post for explanation
624 Create user account <--- this is the real thing
626 Enable account
642 Account change (password last set=now, UserAccountControl flags)
628 Password set
562 SAM_DOMAIN handle closed

560 SAM_USER handle open for write
642 Account change (set logon hours) <--- note that post-Windows-XP we have greatly enhanced the detail in this event.
562 SAM_USER handle close

560 SAM_USER handle open for write
642 Account change (User parameters flags, UserAccountControl flags)
562 SAM_USER handle close

560 SAM_USER handle open for write
642 Account change (set primary group id=513)
636 Account added to local group "Users"
562 SAM_USER handle close

Now the million-dollar question is, why so noisy?

The first answer is, because of the SAM events- almost 50% of these events are for the SAM itself. See my earlier post to find out how to disable those events. Of course the brute force way is to disable object access auditing ;-)

The next answer is, that there are several auditable activities occurring here, and that the way that we create accounts calls them serially instead of atomically in a transaction. This is probably to maximize code re-use inside SAM, but I'm just guessing there.

I'm working with the SAM team to see if I can improve this in the future, but for now you have an explanation of all these events.

Best regards,

Eric