Re: Account management audit

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 09/20/04

• Next message: Dan Rhoads: "Re: Time Service Questions"
• Previous message: Debbie: "Re: Can't login"
• In reply to: Mykhaylo Khodorev: "Account management audit"
• Next in thread: Mykhaylo Khodorev: "Re: Account management audit"
• Reply: Mykhaylo Khodorev: "Re: Account management audit"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 20 Sep 2004 10:21:40 -0400

Good morning,

I am not sure that I am following you. When I use Account Management
Auditing IIRC then the first line in the EventID is what was changed
followed by a bunch of information ( target and caller, etc. ).

So, if I change the password on a user account object via the ADUC MMC and
then go look in my Security log I should see a 642 ( user account changed )
followed by a 628 ( user account password set ). The 'bunch of information'
is general something similar to the following:

Target Account Name
Target Domain
Target Account ID
Caller User Name
Caller Domain
Caller Logon ID

With the 'Target Account Name' being the user account object for whom I just
changed the password and the 'Caller User Name' being me, aka Administrator
( or Support or whatever account I was using to do this....assuming,
naturally, that it has the correct permissions ).

Are you seeing something similar or something completely different? Also, I
am going from memory so please excuse me if this is not exactly as it really
appears.

HTH,

Cary

"Mykhaylo Khodorev" <ralfeus@chicagocentre.com.ua> wrote in message
news:cim32f$25ge$1@news.dg.net.ua...
> Hi, all
> When I change an account expiration date, in event log I see just
> information that account was changed. But I can't see what exactly was
> changed. Is it right?
> Thanks.
> Mykhaylo
>
>

---

• Next message: Dan Rhoads: "Re: Time Service Questions"
• Previous message: Debbie: "Re: Can't login"
• In reply to: Mykhaylo Khodorev: "Account management audit"
• Next in thread: Mykhaylo Khodorev: "Re: Account management audit"
• Reply: Mykhaylo Khodorev: "Re: Account management audit"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Account management audit ... if you add or remove a user account object from ... > Target Account ID: ICB\ralfeus ... > Caller Domain: ICB ... (microsoft.public.win2000.active_directory) Re: Windows Passwords ... "Windows Vista for Dummies" manual. ... I started by creating a test user account. ... The reason I say this is that, when I turned the Guest ... (microsoft.public.windows.vista.general) Re: Help Me Understand User Accounts ... When you log off and log back in as the limited user you'll be able to ... you'll need to set up a new email account (under the new ... limited user account) the same as you had before, ... Administrator accounts are the default type of account ... (microsoft.public.windowsxp.security_admin) Re: Windows Service Account ... you can use the find IIDentity to the user to give folder permissions ... The OP does not need to find which user account is running the Windows ... Local System account has mighty ... (microsoft.public.dotnet.general) Re: Unexplained User Account Deletion ... The object GUID does not change during a "delete", it is maintained through the tombstone process. ... Category: Account Mgmt ... Target Account Name: User1 ... Caller User Name: admin ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.active_directory  > 2004-09