Re: security event id 628 logged as 642

From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 04/01/03 

From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com>
Date: Mon, 31 Mar 2003 17:27:05 -0800

No, I wasn't able to reproduce the problem. Can you give me any more
information about your environment? 

-- 
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"jon" <jgibson@sfcf.co.uk> wrote in message
news:2b8601c2ef98$4183a850$3001280a@phx.gbl...
> Thanks for looking at this Eric - have you come up with
> anything at all?
>
> regards
>
> Jon
>
>
> >-----Original Message-----
> >In Windows 2000, we deprecated events 626 and 629, but
> 627 and 628 have
> >always been in place.
> >
> >You are correct, you should expect event 628 when you set
> the user's
> >password without knowledge of the old password.  I will
> attempt to reproduce
> >the problem here.
> >
> >Thanks,
> >
> >Eric
> >
> >-- 
> >Eric Fitzgerald
> >Program Manager, Windows Auditing and Intrusion Detection
> >Microsoft Corporation
> >
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> >"Jon" <jgibson@sfcf.co.uk> wrote in message
> >news:05ba01c2e992$7731e1d0$3001280a@phx.gbl...
> >> I have set up server to audit account management.
> >>
> >> When I set a user's password using computer management I
> >> get event id 642 (User Account Changed) logged in the
> >> security event log.  My understanding is that it should
> >> actually be event id 628 (User Account password set).
> >>
> >> A similar problem is logged for Windows NT Server 4.0 on
> >> the microsoft kb
> >> (http://support.microsoft.com/default.aspx?scid=kb%3Ben-
> us%
> >> 3B173059) but I can't find any reference to this problem
> >> occurring under Windows 2000.
> >>
> >> I would like to resolve this to allow auditing of
> >> administrator user password changes - 642 isn't specific
> >> enough to allow this.
> >>
> >> Machine is running Windows 2000 Server SP2.
> >>
> >> Can anyone give advice or fix for this?
> >>
> >> thanks
> >>
> >> Jon
> >
> >
> >.
> >

Relevant Pages

  • Re: Datadomain Windows 2008 DC
    ... You're dcdiag states you have 6 DC's your first posting 5 DC's, ... Check the DNS registration for DCs entries on DNS server '10.0.130.101' ... FSMO roles are running on windows 2008. ... Please describe more details about datadomain and the integration ...
    (microsoft.public.windows.server.active_directory)
  • RE: Vista and Mobile Device Center Sync Problem with Windows Mobil
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Windows Mobile-based USB device is plugged in but is unable get a network ...
    (microsoft.public.pocketpc.activesync)
  • RE: RRAS stopped - NO VPN or internal NAT
    ... Thank you for posting back and many thanks for your sharing of the troubleshoot experience. ... Bill Peng ... Double click Routing and Remote Access service in the right pane. ... >> Filemon for Windows ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Disconnecting
    ... 306802 How to Configure Small Business Server for Full Time Internet Access ... 291382 Frequently Asked Questions About Windows 2000 DNS and Windows Server ... please feel free to keep posting back. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] RE: IDS (was: FW appliance comparison)
    ... sound of my head beating against a wall...] ... management or egotistical employees. ... Top N targets identified in IDS alerts ... I mentioned in my last posting. ...
    (Firewall-Wizards)