Announcement

Collapse
No announcement yet.

Event ID 642

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Event ID 642

    In the below event ID , I am unable to conclude, who has changed the password. In Caller user name, it is showing the DC name

    Please help me how to findout the person who has changed the password

    Thanks,
    --------------------------------------------------------------
    Event Type: Success Audit
    Event Source: Security
    Event Category: Account Management
    Event ID: 642
    Date: 1/2/2008
    Time: 7:27:09 AM
    User: NT AUTHORITY\ANONYMOUS LOGON
    Computer: TESTDC1
    Description:
    User Account Changed:
    Target Account Name: Administrator
    Target Domain: TEST
    Target Account ID: TEST\Administrator
    Caller User Name: TESTDC1$
    Caller Domain: TEST
    Caller Logon ID: (0x0,0x3E7)
    Privileges: -
    Changed Attributes:
    Sam Account Name: -
    Display Name: -
    User Principal Name: -
    Home Directory: -
    Home Drive: -
    Script Path: -
    Profile Path: -
    User Workstations: -
    Password Last Set: 1/3/2008 10:11:09 AM
    Account Expires: -
    Primary Group ID: -
    AllowedToDelegateTo: -
    Old UAC Value: -
    New UAC Value: -
    User Account Control: -
    User Parameters: -
    Sid History: -
    Logon Hours: -


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Last edited by charlsteve; 3rd January 2008, 12:09.

  • #2
    Re: Event ID 642

    Hi,

    The event you have mentioned just contaians the changed attribute but if you want to check that who has done this you need to look for other IDs also that will be logged along with 642.

    For password change there are 627 and 628 IDs that should be logged with 642.

    For more event description just check the below article:

    http://support.microsoft.com/kb/174074

    Regards,
    Kapil Sharma
    ~~~~~~~~~~~~~
    Life is too short, Enjoy It.

    Comment


    • #3
      Re: Event ID 642

      Thanks. I am able to find out who has changed the password using 628. But not able to findout from where they have changed it. They use very generic ID which is used by a set of people

      Thanks,
      Sitaram

      Comment

      Working...
      X