Unable to receive an alert for Event ID 626 from the VigilEnt Security Agent for Windows Detect agent for any of my Windows NT4.0 machines.
Event ID 626 not showing up on domain controllers.
This is a known Microsoft issue. When audit policies are set to log User and Group Management events, some Event IDs are not recorded in the event log when the event to which they refer occurs. The following events should be recorded when auditing User and Group Management events:
- Event ID 625: User Account Type Change
- Event ID 626: User Account Enabled
- Event ID 628: User Account password set
- Event ID 629: User Account Disabled
- Event ID 640: General Account Database Change
However, all of these events are logged as Event ID 642: User Account Changed, and the record indicates that a change has been made to a User Account.
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition from Microsoft's website http://support.microsoft.com/.