Anonymous change of passwords?

From: Gunnar Carlson (gunnar.carlson_at_zipper.se)
Date: 05/23/03 

Date: Fri, 23 May 2003 00:37:38 -0700

OK, we've found the problem. We used an application to
set the "User cannot change the password" setting, and
this application must have screwed things up. The ACL's
of the user objects was not sorted correctly, so I guess
the "Deny" settings where never activated.

BTW - Windows 2003 seems to completely ignore the bit i
userAcccountControl that indicates that the user cannot
change the password. In Windows 2000 this bit was read-
only and maintained, but Windows 2003 doesn't modify this
bit when you change the setting...

>-----Original Message-----
>We have an account that is marked with "User cannot
>change password". In the security log I found the
>following events for that very account:
>
>
>
>2003-05-19 13:36:48 Security Success
>Audit Account Management 627 NT
>AUTHORITY\ANONYMOUS LOGON DC2003-1 "Change
>Password Attempt:
> Target Account Name: 86tefirg
> Target Domain: SKOLA
> Target Account ID: SKOLA\86tefirg
> Caller User Name: ANONYMOUS LOGON
> Caller Domain: NT AUTHORITY
> Caller Logon ID: (0x0,0x972F)
> Privileges: -
>"
>2003-05-19 13:36:48 Security Success
>Audit Account Management 642 NT
>AUTHORITY\ANONYMOUS LOGON DC2003-1 "User
>Account Changed:
> Target Account Name: 86tefirg
> Target Domain: SKOLA
> Target Account ID: SKOLA\86tefirg
> Caller User Name: ANONYMOUS LOGON
> Caller Domain: NT AUTHORITY
> Caller Logon ID: (0x0,0x972F)
> Privileges: -
> Changed Attributes:
> Sam Account Name: -
> Display Name: -
> User Principal Name: -
> Home Directory: -
> Home Drive: -
> Script Path: -
> Profile Path: -
> User Workstations: -
> Password Last Set: 5/19/2003 1:36:48 PM
> Account Expires: -
> Primary Group ID: -
> AllowedToDelegateTo: -
> Old UAC Value: -
> New UAC Value: -
> User Account Control: -
> User Parameters: -
> Sid History: -
> Logon Hours: -
>
>I cannot interpret this in any other way than that the
>password has been changed. But how is that possible?
And
>what does the "ANONYMOUS LOGON" mean?
>
>.
>

Relevant Pages

  • Re: security event id 628 logged as 642
    ... > I have set up server to audit account management. ... My understanding is that it should ... > occurring under Windows 2000. ...
    (microsoft.public.win2000.security)
  • security log full in the event viewer
    ... I often receive this message on my windows xp" security log is full". ... I log on as administrator, but i can't remove the audit account management success and failure check marks. ...
    (microsoft.public.windowsxp.general)
  • Re: delete user from AD and not exchange
    ... If you have audit account management turned on you will be able to find ... who and when by looking in the security log on your domain controller. ... system manager reconnect this new user to the old mailbox. ...
    (microsoft.public.exchange2000.active.directory.integration)
  • RE: How do I find out who disabled an account in AD?
    ... We have "Audit account management" set to "success,failure. ... "audit directory service object" in our AD group policy. ... My question is what do I search for in the security log? ...
    (microsoft.public.security)
  • Re: add machine to domain event ID?
    ... You should turn auditing on "Audit account management" (if I remember ... Then you should be able to see events in security log. ...
    (microsoft.public.win2000.security)