RE: Event ID 643

From: Stephan Fix (sfix_at_cybershift_nospam.com)
Date: 01/31/05 

Date: Mon, 31 Jan 2005 09:01:11 -0800

But, that's the problem. There was no change made. I'm aware of everything
you stated below, and yest DATACENTERNYC is a workgroup so the event log is a
bit confusing. Also, there is no gpttmpl.inf file on the machine.

I set up another machine in a lab the same way as our DATACENTERNYC machines
with IIS and the local security policy. Interestingly enough, Event 643 is
NOT showing up in the logs. The only difference between the lab and
production machines is Compaq management software.

"Rebecca Chen [MSFT]" wrote:

> Hi Steve,
>
> Thanks for the event log!
>
> After researching the event log, I have found the Caller User Name is
> CSMONITOR$ in the security log, it seems the system has raised this error.
> In addition, the caller Domain is DATACENTERNYC, I am a little unclear
> about this situation since you have stated it is a stand-alone machine.
> Please let me know DATACENTERNYC refers to a domain?
>
> An important cent is that I have found the corresponding application log
> "Event log 1704".
>
> Event log 1704 has indicated that security policy in the Group policy
> objects has been applied successfully. You can notice that at this time,
> security log 643 has been recorded in the security log.
>
> In the conclusion, one policy on CSMONITOR has been changed so that event
> log 1704 has been recorded in the application log and the corresponding
> security log 643.
>
> This is a normal behavior in a domain environment, please double check if
> the machine is in a domain (In My Computer's Properties->Computer Name tab,
> you can see the domain name). If it is a stand-alone machine, please
> compare the gpttmpl.inf file as I have mentioned to find out which policy
> has been changed.
>
> Please use the steps to check the status and post back if you have any
> update.
>
> Best regards,
>
> Rebecca Chen
>
> MCSE2000 MCDBA CCNA
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Relevant Pages

  • RE: Event ID 643
    ... After researching the event log, I have found the Caller User Name is ... CSMONITOR$ in the security log, it seems the system has raised this error. ... Event log 1704 has indicated that security policy in the Group policy ...
    (microsoft.public.win2000.security)
  • Re: Subject: Security Event Log reading by Domain Users
    ... our "program" is a SQL script run trough Microsoft Log Parser. ... > account will also be able to clear the security log. ... Event Log under Domain User account? ...
    (microsoft.public.win2000.security)
  • Re: Subject: Security Event Log reading by Domain Users
    ... account will also be able to clear the security log. ... Event Log under Domain User account? ... > Adding a "Manage auditing and sec. log" and "Act as the part of oper. ... > I added all possible rights to the Domain User account, from "Create a Token Object" to "Generate> Security audits", but no luck. ...
    (microsoft.public.win2000.security)
  • Re: Default Domain Controller Policy being overwritten
    ... I do have the event log size defined. ... the log file and filling up in a few days. ... It's almost like I change the policy on the ... >> errors relating to this in the event logs on either domain controller. ...
    (microsoft.public.windows.server.active_directory)
  • Re: GP NOt Working on One XP Workstation
    ... You probably need to enable logging and try to find any ... possibly related messages in the event log of that machine. ... XP that walks you through enabling logging by policy ...
    (microsoft.public.windows.group_policy)