Account management audit

  • Thread starter Thread starter Mykhaylo Khodorev
  • Start date Start date
M

Mykhaylo Khodorev

Hi, all
When I change an account expiration date, in event log I see just
information that account was changed. But I can't see what exactly was
changed. Is it right?
Thanks.
Mykhaylo
 
Good morning,

I am not sure that I am following you. When I use Account Management
Auditing IIRC then the first line in the EventID is what was changed
followed by a bunch of information ( target and caller, etc. ).

So, if I change the password on a user account object via the ADUC MMC and
then go look in my Security log I should see a 642 ( user account changed )
followed by a 628 ( user account password set ). The 'bunch of information'
is general something similar to the following:

Target Account Name
Target Domain
Target Account ID
Caller User Name
Caller Domain
Caller Logon ID

With the 'Target Account Name' being the user account object for whom I just
changed the password and the 'Caller User Name' being me, aka Administrator
( or Support or whatever account I was using to do this....assuming,
naturally, that it has the correct permissions ).

Are you seeing something similar or something completely different? Also, I
am going from memory so please excuse me if this is not exactly as it really
appears.

HTH,

Cary
 
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642
Date: 20.09.2004
Time: 10:49:01
User: ICB\rralfeus
Computer: DC1
Description:
User Account Changed:
-
Target Account Name: ralfeus
Target Domain: ICB
Target Account ID: ICB\ralfeus
Caller User Name: rralfeus
Caller Domain: ICB
Caller Logon ID: (0x0,0x1D369373)
Privileges: -

This event occured when I've changed expiration date of account icb\ralfeus.
Here is nothing told about this. Or I missed anything?
Thanks.
Mykhaylo

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
There probably will not be anything. I did some testing and found that the
only time there is any 'text' as to what was changed is when the password is
changed or when the "Password never expires" box is checked. Changing most
of the other attributes ( 'most' due to the fact that I did not change each
and every one! ) results in the basic, generic text.

Now, I also did some testing for groups - both Security ( or, better put -
security enabled ) and Distribution ( sometimes, but not always - security
disabled ) Groups. If you simply change the description or what no on
either of these there is a 641 and a 654 EventID with the simple text that
something changed. However, if you add or remove a user account object from
either of these groups then you get a more useful description of what
happened.

HTH,

Cary
 
Back
Top