How to monitor and control User's Activity in windows

March 02, 2021

Multi-user functionality in Windows has made it possible for us to use it conveniently in public places like schools, colleges, offices, etc. In these places there is usually an administrator who manages to monitor the activities of the users who work there. Sometimes users go beyond their limits and change the accounts configured in workgroup mode. This can have security implications and so we should configure Windows to detect user activity. By configuring Windows to monitor user activity, we can make administration more secure and also punish victim users by monitoring their records in the event of a crime. This article will teach you how to track user activity in Windows 10 / 8.1 / 8/7 using the audit policy. Here's how:

Tracking user activity using the audit policy

1. Press Windows key + R combination type Put secpol.msc in the Run dialog box, and press Enter to open Local Security Policy .

2. In the Local Security Policy window expand Security Settings -> Local Policies -> Audit Policy . Now you should make your window look like this:

3. In the right area you can see *9 *Audit... [] Policies have No audit as predefined security settings. Click on each of the policies in turn and select success or failure , click Apply followed by OK for each policy.

This is how we configured Windows to track user activity.

To get the tracked records, do the following:

Track user activity using Event Viewer

1. Press Windows key + R combination type Put eventvw r in run dialog box, and press Enter to open Event Viewer .

2. Now in the Event Viewer window, select Windows Logs -> Security in the left pane . Windows logs every security event here.

3. Click on an event in the central area to view its information:

Here is the list of Event IDs covering user activity for the accounts in workgroup mode:

1. Create User: The following are the Event IDs that will be logged when the user is created.

  • Event ID: 4728 | Type: Audit Success | Category: Security Group Management | Description: A member was added to a security-enabled global group.
  • Event ID: 4720 | Type: Audit Success | Category: User Account Management | Description: A user account has been created.
  • Event ID: 4722 | Type: Audit Success | Category: User Account Management | Description: A user account has been activated.
  • Event ID: 4738 | Type: Success check | Category: User Account Management | Description: A user account was changed.
  • Event ID: 4732 | Type: Success check | Category: Security Group Management | Description: A member was added to a security-enabled local group.

2. Delete User: The following are the Event IDs that will be logged when the user is deleted.

  • Event ID: 4733 | Type: Success check | Category: Security Group Management | Description: A member was removed from a local security group.
  • Event ID: 4729 | Type: Success check | Category: Security Group Management | Description: A member was added to a security-enabled global group.
  • Event ID: 4726 | Type: Success check | Category: User Account Management | Description: A user account was deleted.

3. User account disabled: The following are the event IDs that are logged when the user is disabled.

  • Event ID: 4725 | Type: Success check | Category: User Account Management | Description: A user account has been deactivated.
  • Event ID: 4738 | Type: Success check | Category: User Account Management | Description: A user account was changed.

4. User Account Enabled: Below are the Event IDs that will be logged when the user is enabled.

  • Event ID: 4722 | Type: Success check | Category: User Account Management | Description: A user account has been activated.
  • Event ID: 4738 | Type: Success check | Category: User Account Management | Description: A user account was changed.

5. Reset user account password: The following are the event IDs that are logged when the user account password is reset .

  • Event ID: 4738 | Type: Success check | Category: User Account Management | Description: A user account was changed.
  • Event ID: 4724 | Type: Success check | Category: User Account Management | Description: An attempt was made to reset an account's password.

6. User Account Profile Path Set : Below is the Event ID that is logged when the profile path is set for a user account.

  • Event ID: 4738 | Type: Success check | Category: User Account Management | Description: A user account was changed.

7. Rename user account: The following are the event IDs that are logged when the user account is renamed.

  • Event ID: 4781 | Type: Success check | Category: User Account Management | Description: The name of an account has been changed.
  • Event ID: 4738 | Type: Success check | Category: User Account Management | Description: A user account was changed.

8. Create Local Group: The following are the Event IDs that are logged when the local group is created.

  • Event ID: 4731 | Type: Success check | Category: Security Group Management | Description: A security-enabled local group has been created
  • Event ID: 4735 | Type: Success check | Category: Security Group Management | Description: A local security group has changed

9. Add User to Local Group: Below is the Event ID that will be logged when the user is added to the local group.

  • Event ID: 4732 | Type: Success check | Category: Security Group Management | Description: A member was added to a security-enabled local group

10. Remove user from local group: Below is the Event ID that will be logged when the user is removed from the local group.

  • Event ID: 4733 | Type: Success check | Category: Security Group Management | Description: A member was removed from a local security group

11. Delete Local Group: Below is the Event ID that will be logged when the local group is deleted.

  • Event ID: 4734 | Type: Success check | Category: Security Group Management | Description: A local security group was deleted

12. Rename Local Group: The following are the Event IDs that will be logged when the local group is renamed.

  • Event ID: 4781 | Type: Success check | Category: User Account Management | Description: An account name was changed
  • Event ID: 4735 | Type: Success check | Category: Security Group Management | Description: A local security group has changed

This allows you to keep track of users with their activity. This article applies to Windows 10 / 8.1 in workgroup mode. The procedure is different for the Active Directory domain.