| Hi
|
| Can anyone help, im getting event id 643 in the security
| log when auditing AD. It happens every 5mins as expected
| and its successfull. Looked it up and Microsoft seem to
| point me at:
|
| Domain Policy Changed: Password Policy
| This might indicate an attacker is making it easier to
| guess passwords on the system or to create a social
| engineering attack.
|
| I'm not changing the password policy.... so any help would
| be good.
|
| Thanks
|
| Paul
|
|
Paul,
A Windows 2000 client may generate the following event at periodic
intervals, even
though the password policy of the system has not been changed:
Event ID: 643
Type: Success Audit
Description: Domain Policy Changed:
Domain: %1 Domain ID: %2
Caller User Name: %3 Caller Domain: %4
Caller Logon ID: %5 Privileges: %6
Cause:
======
This issue is described in the following file BUG: WinSERaid2 26704
It details how "Password Policy Change" (event 643) does not distinguish
between
policy refresh and actual password policy change. Thus, each time that a
client or
server refreshes their local security policy (5 minutes for Active
Directory domain
clients or 16 hours for NT 4.0 domain clients), the audit event 643 occurs.
Resolution:
=========
This behavior is by design and is not indicating a problem with security or
auditing. This audit event can be safely ignored. In the event that there
is no
associated Event 1704 in the application event log for a 643 event, then
this may
very well be because of a password policy change.
Chad A. Lacy
Windows 2000 Directory Services
==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.