What's the best way to monitor for Windows NT 4.0 account management related events?
Table 2 shows the most important account managementrelated event IDs as they appear in NT Event Viewer. To easily analyze NT 4.0 event logs or query them for a particular event ID, you can use the EventCombMT utility that comes with the Microsoft Solution for Securing Windows 2000 Server Guide (you can download the tool for free from http://www.microsoft.com /downloads /details.aspx?familyid =9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en).
EventCombMT is a powerful analysis tool that lets you collect event-log data from multiple servers and filter that data (according to your specific criteria) to a central location. Although you can't install EventCombMT on NT 4.0, you can install it on a Windows 2000 or later machine and run it against an NT 4.0 box. For more information about this tool, see "Take Advantage of the EventCombMT Utility," February 2003, http://www.secadministrator.com, InstantDoc ID 37450.
