RE: Event for Password Changes

From: v-jaluo@xxxxxxxxxxxxxxxxxxxx ("Jacky Luo [MSFT]")
Date: Thu, 08 Feb 2007 08:45:19 GMT

Hi compsosinc,

Thanks for posting here.

From the description, I understand the issue is that you want to know if

win2000 server or SBS 2000 can audit account management about password
change. If I am off base, please don't hesitate to let me know.

Based on my research, audit about password change can be done after you
open domain controller security policy and make audit account management
enabled. To do so:
1.open domain controller security policy
2.expand local policies
3.click audit policy
4.in the right panel, double-click audit account management, and select
define these policy setting, select success and failure. Click OK.

Then when user changed password, in the security log, There are several
logs listed below.

Event ID:642 (0x0282)
Type:Success Audit
Description:User Account Changed

Event ID:628 (0x0274)
Type:Success Audit
Description:User Account password set

you can check eventid 628 and 642 in the security log by event viewer.

Note: audit account management include account password change, As long as
you make change to any account attribute, including password change,
security log will be generated right away.

For your convenience, please refer to the following KB article:

Windows 2000 Security Event Descriptions (Part 2 of 2)
http://support.microsoft.com/kb/301677/en-us

In addition, Windows 2003 server and SBS 2003 can also support audit
account management.

Hope this helps

I appreciate your time. Please try my suggestion above and I look forward
to your reply.

Best regards,

Jacky Luo (MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
====================================================
PLEASE NOTE: The partner managed newsgroups are provided to
assist with break/fix issues and simple how to questions.
We also love to hear your product feedback! Let us know what you think by
posting

from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.

We look forward to hearing from you!
====================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

.

References:
- Event for Password Changes
  - From: compsosinc

Prev by Date: Re: IMF Installed?
Next by Date: Re: Error: Microsoft Shared Fax Driver not Installed
Previous by thread: Event for Password Changes
Next by thread: Adding Windows 2003 Server to SBS2000 Domain
Index(es):
- Date
- Thread

Relevant Pages

Re: delete user from AD and not exchange
... If you have audit account management turned on you will be able to find ... who and when by looking in the security log on your domain controller. ... system manager reconnect this new user to the old mailbox. ...
(microsoft.public.exchange2000.active.directory.integration)
RE: How do I find out who disabled an account in AD?
... We have "Audit account management" set to "success,failure. ... "audit directory service object" in our AD group policy. ... My question is what do I search for in the security log? ...
(microsoft.public.security)
Re: add machine to domain event ID?
... You should turn auditing on "Audit account management" (if I remember ... Then you should be able to see events in security log. ...
(microsoft.public.win2000.security)
Anonymous change of passwords?
... BTW - Windows 2003 seems to completely ignore the bit i ... but Windows 2003 doesn't modify this ... In the security log I found the ... >Audit Account Management 627 NT ...
(microsoft.public.security)