Re: Security Event ID: 627, 560
From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 12/31/02
- Next message: Eric Fitzgerald [MSFT]: "Re: Event Log"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Account Unlock event not written to the eventlog"
- In reply to: Russ: "Security Event ID: 627, 560"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> Date: Tue, 31 Dec 2002 13:32:41 -0800
The second message appears to be a low-level object access audit which
reflects the first event (can't verify because timestamps are missing).
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Russ" <rfindley@allegis.com> wrote in message news:uWn923FqCHA.1664@TK2MSFTNGP10... > Hello All: > > We just enabled some more logging on our domain policy and we are now > receiving two security error messages that I'm not sure if I should ignore. > See Below: > > Security:627 > > Change Password Attempt: Target Account Name: TsInternetUser Target Domain: > <ComputerName> Target Account ID: > %{S-1-5-21-776561741-1417001333-688224880-1000} Caller User Name: > <ComputerName$> Caller Domain: <Domain Name> Caller Logon ID: (0x0,0x3E7) > Privileges: - > > Security:560 > > Object Open: Object Server: Security Account Manager Object Type: SAM_USER > Object Name: DOMAINS\Account\Users\000003E8 New Handle ID: - Operation ID: > {0,9800585} Process ID: 268 Primary User Name: <ComputerName$> Primary > Domain: <Domain Name> Primary Logon ID: (0x0,0x3E7) Client User Name: > SFRPT1$ Client Domain: OPSBRYANTHQ Client Logon ID: (0x0,0x3E7) Accesses > ChangePassword (with knowledge of old password) Privileges > > I've researched this message and only run across one article: > http://support.microsoft.com/default.aspx?scid=kb;en-us;244057 > > This article refers to the message that we are receiving, but the article > also refers to this message being logged if we are running Terminal Services > Internet Connector License. If you look at Start|Programs|Administrative > Tools|TM Configuration|Properties on RDP|Services --the TM Internet > Connector License is disabled. Does anyone have anymore insight because we > don't like to ignore security error messages. > > Russ > > > >
- Next message: Eric Fitzgerald [MSFT]: "Re: Event Log"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Account Unlock event not written to the eventlog"
- In reply to: Russ: "Security Event ID: 627, 560"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
