Re: Logging Password Changes

---

• From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 17 Nov 2005 18:43:39 -0500

---

I'm pretty sure this is it but test to make sure.

Go into the Domain Controllers Security Policy (not Domain Security Policy).
Under Computer -> Windows -> Security -> Local -> Audit, set "Audit Account
Management" to audit success and failure. These names are abbreviated but
you'll see what I mean. IMO you should audit failure as well as success -
you could catch someone who's up to something by logging failure.

A hint: I recommend that whenever you change auditing settings, you
document exactly what you did in case you wake up to a hundred million
entries in the morning : -)

When a user changes his/her password, you'll see this in your security log:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 11/17/2005
Time: 6:32:53 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: YOURSBS
Description:
User Account Changed:
Target Account Name: USER
Target Domain: DOMAIN
Target Account ID: DOMAIN\USER
Caller User Name: YOURSBS$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 11/17/2005 6:32:53 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


"M Mack" <MMack@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6364ECF1-56BC-4A50-A7A0-BCE7132784F0@xxxxxxxxxxxxxxxx
> Is there a way within SBS 2000, that I can log the dates and times that
> users
> (who have permission) change their passwords. If so where?
>
> Many thanks


.

---

• Prev by Date: Re: MYOB using TS in Admin Mode on SBS2003 Server
• Next by Date: Backup Exec 8.6 Upgrade from DAT to LTO
• Previous by thread: Re: Remote Connection to SBS-2000
• Next by thread: Backup Exec 8.6 Upgrade from DAT to LTO
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: user accounts are reappearing ... is a policy setting called "audit account management" that you can enable. ... (microsoft.public.win2000.active_directory) Re: Find who added an account to domain admins group ... "Audit Account Management" ... "Audit directory service access" ... is enable by default for successes and will audit several actions ... An account 'magically' appears in the domain admins group. ... (microsoft.public.windows.server.active_directory) Re: Is this normal or a security breach? ... The message about Office registering a provider with WMI is ... The long sequence of failed logons, ending with a success is ... If the success was for an impowered account ... (microsoft.public.windowsxp.security_admin) Re: ADAM Security Logging ... so if you look at the effective local security policy on the ADAM ... "Audit account management". ... account "Generate security audits" right in User Rights Assignment ... (microsoft.public.windows.server.active_directory) Re: Firewall and Security ... the Domain Controller Security Policy (on the server under Administrative ... >>and regular logon failure, account management success ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > BackOffice  > microsoft.public.backoffice.smallbiz2000  > 2005-11