I would like to know which event ID can be monitored in order to check if an existing user or a new one become administrator.
I search for 4720 and 4738 event IDs but the information displayed in the event tell nothing about if a user is an administrator.
How can i check that?
UPDATE
I've seen that the SID (Security IDentificator) can be used to determine if a user has some administrator privileges. For example, a user is a domain administrator if its SID finish with 512 (S-1-5-21-1004336348-1177238915-682003330-512). If it finish with 500, it is a local administrator.
So, may be a workaround is to get the SID in an event of AD and check that SID. 4720 and 4738 event IDs seems to show the SID, but not in the required format (Security ID: ACME-FR\administrator). AD tries to resolve that numeric SID to account names...
UPDATE 2 Despite the fact that AD tries to resolve SID, it seems to be a parameter called RID which represents the group of the user. So, it should solve the issue.
