Re: Account management audit
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 09/21/04
- Next message: Cary Shultz [A.D. MVP]: "Re: renamed user account--problem with CN"
- Previous message: Laura E. Hunter \(MVP\): "Re: XP SP2 Deployment using AD"
- In reply to: Mykhaylo Khodorev: "Re: Account management audit"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 21 Sep 2004 12:49:03 -0400
There probably will not be anything. I did some testing and found that the
only time there is any 'text' as to what was changed is when the password is
changed or when the "Password never expires" box is checked. Changing most
of the other attributes ( 'most' due to the fact that I did not change each
and every one! ) results in the basic, generic text.
Now, I also did some testing for groups - both Security ( or, better put -
security enabled ) and Distribution ( sometimes, but not always - security
disabled ) Groups. If you simply change the description or what no on
either of these there is a 641 and a 654 EventID with the simple text that
something changed. However, if you add or remove a user account object from
either of these groups then you get a more useful description of what
happened.
HTH,
Cary
"Mykhaylo Khodorev" <ralfeus@chicagocentre.com.ua> wrote in message
news:ciohg2$hn$1@news.dg.net.ua...
> Event Type: Success Audit
> Event Source: Security
> Event Category: Account Management
> Event ID: 642
> Date: 20.09.2004
> Time: 10:49:01
> User: ICB\rralfeus
> Computer: DC1
> Description:
> User Account Changed:
> -
> Target Account Name: ralfeus
> Target Domain: ICB
> Target Account ID: ICB\ralfeus
> Caller User Name: rralfeus
> Caller Domain: ICB
> Caller Logon ID: (0x0,0x1D369373)
> Privileges: -
>
> This event occured when I've changed expiration date of account
icb\ralfeus.
> Here is nothing told about this. Or I missed anything?
> Thanks.
> Mykhaylo
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:uO%231m0xnEHA.3464@tk2msftngp13.phx.gbl...
> > Good morning,
> >
> > I am not sure that I am following you. When I use Account Management
> > Auditing IIRC then the first line in the EventID is what was changed
> > followed by a bunch of information ( target and caller, etc. ).
> >
> > So, if I change the password on a user account object via the ADUC MMC
and
> > then go look in my Security log I should see a 642 ( user account
> > changed )
> > followed by a 628 ( user account password set ). The 'bunch of
> > information'
> > is general something similar to the following:
> >
> > Target Account Name
> > Target Domain
> > Target Account ID
> > Caller User Name
> > Caller Domain
> > Caller Logon ID
> >
> > With the 'Target Account Name' being the user account object for whom I
> > just
> > changed the password and the 'Caller User Name' being me, aka
> > Administrator
> > ( or Support or whatever account I was using to do this....assuming,
> > naturally, that it has the correct permissions ).
> >
> > Are you seeing something similar or something completely different?
Also,
> > I
> > am going from memory so please excuse me if this is not exactly as it
> > really
> > appears.
> >
> > HTH,
> >
> > Cary
> >
> > "Mykhaylo Khodorev" <ralfeus@chicagocentre.com.ua> wrote in message
> > news:cim32f$25ge$1@news.dg.net.ua...
> >> Hi, all
> >> When I change an account expiration date, in event log I see just
> >> information that account was changed. But I can't see what exactly was
> >> changed. Is it right?
> >> Thanks.
> >> Mykhaylo
> >>
> >>
> >
> >
>
>
- Next message: Cary Shultz [A.D. MVP]: "Re: renamed user account--problem with CN"
- Previous message: Laura E. Hunter \(MVP\): "Re: XP SP2 Deployment using AD"
- In reply to: Mykhaylo Khodorev: "Re: Account management audit"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
