A Andrew Story Sep 28, 2006 #1 An admin has done this, is there anyway to find out which account was responsible for this? Any info much appreciated (as always)
An admin has done this, is there anyway to find out which account was responsible for this? Any info much appreciated (as always)
P Paul Bergson Sep 28, 2006 #2 If auditing is enabled (Account Management), it will show you that the administrator password has been changed. Not much help since you know it has been changed. Look for event ids 627 and 628, setting a filter will lhelp. http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html -- Paul Bergson MCT, MCSE, MCSA, Security+, BS CSi 2003, 2000 (Early Achiever), NT http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
If auditing is enabled (Account Management), it will show you that the administrator password has been changed. Not much help since you know it has been changed. Look for event ids 627 and 628, setting a filter will lhelp. http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html -- Paul Bergson MCT, MCSE, MCSA, Security+, BS CSi 2003, 2000 (Early Achiever), NT http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
