MonitorWare Knowledge Base

by **infimurf** on Wed Oct 27, 2004 2:58 pm

I had two events in my event log. They seem to be system generated.

One saying 'user account password set' the other saying 'user account changed'. The target account name was 'PC001$', which is the name of one of my servers. Is this normal behaviour for windows NT 4 what generates it?

by **therget** on Thu Oct 28, 2004 10:36 am

Event ID: 628
->Type: Success Audit
->Description:
-> User Account password set

A privileged user (i.e. Administrator) has set a user password.

Event ID: 642
->Type: Success Audit
->Description:
-> User Account Changed

A privileged user (i.e. Administrator) made changes to an account.
This event may also be generated if you analyze the server security using the Microsoft Baseline Security Analyzer.

Best Regards,
Timm Herget
Adiscon

by **infimurf** on Thu Oct 28, 2004 1:55 pm

the thing is no one made any changes. It's hard to explain to auditors that we cannot show the source of what made the change. I understand that it is the o/s doing the change....but it doesn;t say why.

by **TotalNewbie** on Thu Dec 16, 2004 4:54 pm

Infimurf, did you find a good answer to this question? I found the same thing in my security log and no one in the IT is changing the passwords manually.

I'm concerned because it's done the same thing to 7 of the computers in the network. in the last week.

Any help would be appreciated.

Thanks.

by **infimurf** on Fri Dec 17, 2004 3:33 am

no i havent up to this point

MonitorWare Knowledge Base

Event ID 642

Event ID 642

Google Ads

Who is online