Auditing User Account Name Changes

Someone recently renamed an employee's account to something inappropriate, and we can't determine who did it. Is there a way to find out from the Security event log?

The answer is yes if the Audit account management events audit policy was enabled on your domain controllers (DCs) at the time of the change. A user account has several name fields: The Common Name field is the name displayed when user objects are listed in an organizational unit (OU) in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. The Display Name field is found on the General tab of the user object's Properties dialog box. The Logon Name field is also known as the User Principal Name. The pre-Windows 2000 logon name is also called the SAM Account Name.

Look first for event ID 685, which Windows logs if you change the pre-Win2K logon name. (Figure 1 shows an example.) If the pre-Win2K logon name wasn't changed, look at event ID 642 (user account changed) and examine the fields the event lists as having been modified. When you find the changed name, check the User field to find out who made the change.

If the only name field changed is Common Name, Windows doesn't log event ID 642. To track changes to the Common Name field, you must enable the Audit directory service access audit policy and make sure that user objects have auditing enabled for the cn property.