Re: Auditing AD: Analyzing event 565

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 11/02/02 

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Fri, 1 Nov 2002 16:59:18 -0800

Hi Tim,

This is a normal password change audit.

Windows has multiple APIs to change passwords. This event means that
someone with the rights to manage that account, reset the user's password.
This is known as a "password set".

When a user changes their own password the event looks different, it does
not mention "without knowledge of the old password". This is known as a
"password change".

We'll be including some better documentation on auditing in the Windows .NET
Server Resource Kit; there are a couple of resources now:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bestprac/bpent/sec3/monito.asp

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/windows/windows2000/staysecure/secops06.asp

Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection

"Tim Smith" <tgsmith24@hotmail.com> wrote in message
news:ug3KCVagCHA.2532@tkmsftngp09...
> cc: Active Directory newsgroup
>
> I have enabled auditing on Directory Service Access, and am seeing
numerous
> events 562 and 565. For the 565 events, under the 'accesses' section, I am
> seeing the following entries:
> READ_CONTROL
> WritePreferences
> ReadAccount
> SetPassword(Without knowledge of old password)
> Under the 'Properties' section that follows this, I am seeing all of the
> above, plus two additional entries: ListGroups and Change Password.
> Trying to interperet these: Does this mean that a user account's password
> was changed?
> Does anyone know of any on-line resources (or books) that go into depth on
> audit events and analyzing them?
>
> Thanks
>
>
>
>
>

Relevant Pages

  • Re: Device Mgr. mistakes wireless card for PCI device
    ... Resources tab. ... Windows 2000 attempts to flag the associated device that is ... Although multithreading helps to alleviate this problem, it may not resolve ... Windows 2000 device driver for the ISA device. ...
    (microsoft.public.win2000.general)
  • Re: Event ID 1500 and 1508 - user cannot login
    ... It's not common in my experience. ... Resource cleanup with Windows 2003 TS should only become a factor due to specific misbehaving applications, drivers, etc and should be addressed at the level. ... reboot the server pretty consistently to clean up resources. ... Profile> Do not ...
    (microsoft.public.windows.terminal_services)
  • Re: Boots up in safe mode-graphics card message.
    ... Brian A. Wrote:- ... Why can't it find enough resources and exactly which other ... How to manage devices in Windows XP ... graphic drivers for your device or the Standard VGA drivers. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: increasing handles | large VM consumption | windows service on Win2k server
    ... you may be able to guess which interface pointers are really leaked. ... > cleanup of these resources. ... > the same work running under a windows service as it is when it runs as a ... >>> console ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Is it worth upgrading to XP Pro ?
    ... >I would have expected that the allocations to User/DGI resources were ... The resource pools and their 64k limit are a gift of the compatibility gods. ... Windows 3.1 was a 16-bit operating system, so if you do the math you ... GDI pools you would break all sorts of interesting things when a program ...
    (microsoft.public.windowsxp.basics)