C
Chuck Chopp
I have an interesting dilemma. I have audits enabled on my DCs for
successful Account Management activities. This is properly logging user
account create and user account delete events w/o any problems. However,
I'm noticing that when I change the SAM Account Name attribute on a user
object, I'm only getting event 642 in the security event log, which says
that a property of the user changed [SAM Account Name] and what the current
value is. I should also be getting event 685 that specifically notes both
the previous and current values for the account name. This is happening on
all the DCs in my test forest, where I have 2 trees, 1 with 3 domains, 1
with 2 domains, a single DC per domain, all running Win2K3 Enterprise SP1.
On a single Win2K3 Enterprise SP1 server that is the only DC in the only
domain in the only tree in the forest, I get both 642 an 685 events when
changing the SAM Account Name of a user object.
Is there any known reason why I wouldn't get the 685 event in the security
audit event log when changing any of the naming attribute values for a user
object?
TIA,
Chuck
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp
Do not send me unsolicited commercial email.
successful Account Management activities. This is properly logging user
account create and user account delete events w/o any problems. However,
I'm noticing that when I change the SAM Account Name attribute on a user
object, I'm only getting event 642 in the security event log, which says
that a property of the user changed [SAM Account Name] and what the current
value is. I should also be getting event 685 that specifically notes both
the previous and current values for the account name. This is happening on
all the DCs in my test forest, where I have 2 trees, 1 with 3 domains, 1
with 2 domains, a single DC per domain, all running Win2K3 Enterprise SP1.
On a single Win2K3 Enterprise SP1 server that is the only DC in the only
domain in the only tree in the forest, I get both 642 an 685 events when
changing the SAM Account Name of a user object.
Is there any known reason why I wouldn't get the 685 event in the security
audit event log when changing any of the naming attribute values for a user
object?
TIA,
Chuck
--
Chuck Chopp
ChuckChopp (at) rtfmcsi (dot) com http://www.rtfmcsi.com
RTFM Consulting Services Inc. 864 801 2795 voice & voicemail
103 Autumn Hill Road 864 801 2774 fax
Greer, SC 29651
"Racing to save lives"
The Leukemia & Lymphoma Society - Team in Training
http://www.active.com/donate/tntsc/tntscCChopp
Do not send me unsolicited commercial email.