Event id 627

  • Thread starter Thread starter Marc Hillman
  • Start date Start date
M

Marc Hillman

When I boot up I get about 30 scary looking messages in the event log. They
seem to be in pairs exactly 3 seconds apart. What does event 627 REALLY
mean. Sample follows.

Event Type: Failure Audit
Event Source: Security
Event Category: Account Management
Event ID: 627
Date: 15/09/2003
Time: 7:19:16 PM
User: VULCAN\Marc Hillman
Computer: VULCAN
Description:
Change Password Attempt:
Target Account Name: Marc Hillman
Target Domain: VULCAN
Target Account ID: VULCAN\Marc Hillman
Caller User Name: Marc Hillman
Caller Domain: VULCAN
Caller Logon ID: (0x0,0x197F4)
Privileges: -

_______________________________________
Marc Hillman, Melbourne, Australia
web: http://users.tpg.com.au/mhillman/
 
go here to view this error: www.eventid.com


Event ID: 627
Source Security
Type Failure Audit
Description Change Password Attempt:
Target Account Name: <user name>
Target Domain: <domain name>
Target Account ID: %{<SID>}
Caller User Name: <name>$
Caller Domain: <domain>
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Comments Adrian Grigorof (Last update 4/26/2003):
Audit message for a Change Password Attempt operation.

If the user is TsInternetUser then see Q244057 (the system changes the
password used by the TsInternetUser account for security purposes).
Links Q174074 , Q244057 , Online Analysis of Security Event Log
Send comments - Notify me when updated!
Automatic search for "Event 627 Security" at:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft
 
What sort of reply is that ???? The site is still under construction, and
it's got nothing to do with Windows security. Any SENSIBLE answer much
appreciated.
 
It REALLY means that some code running in Marc's logon session tried to
change his password.

Here's my best guess:
Do you have a password rotation policy? Maybe he's trying to circumvent it.
I've seen that before, where users who don't want to change their passwords
will write a script to do so, and this is what it looks like in the log.

Of course it could be something else, even something malicious, but I'd look
for obvious things first.

If you've enabled process tracking on his box, prior to this log, you can
look for processes in logon session (0x0,0x197F4) to see what exe's he was
running at the time.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.
 
I have no password rotation policy, and no scripts. The 'problem' occurred
when I configured a remote access connection. I quickly realised this wasn't
what I wanted, and removed it. Whilst the connection existed I had the
symptoms described. Still don't understand why I had all those password
change attempts, but it doesn't matter now.

I'm VERY impressed that Microsoft Corporation staff have time/energy to look
at newsgroups and answer questions. I've never been a Bill Gates basher, but
this only confirms my view that MS is an often mis-understood organisation.

Perhaps you could refer this reply to an equally qualified person in the
networking area. I have a frustrating networking problem, and I can't help
but think it's related to the recent Blaster Worm patches. Sorry it's OT,
but I'm desperate.

I have, for about a year, had 2 XP PC's connected to a W2K machine using
Microsoft Networking. Everything worked fine. After the recent Blaster Worm
patch it's failed. All machines can ping all other machines. The W2K machine
can browse shares on both XP. XP can browse each other. The only combination
that doesn't work (and I really need) is neither XP can browse the W2K
machine. I've spent days trying to sort it out, with no luck. I've probably
changed so many things it's now permanently broken. I doubt I could set it
back the way it was. I did mess with DCOM recently in attempting to sort out
an msi problem. I've seen MANY instances of what seems to be the same
problem, many noting it's only since the recent security patches. DCOM has
been tightened up, and Networking uses DCOM. It's a bit suspicious. We've
probably had something set all wrong all these years, and now that DCOM has
been 'fixed' networking won't work. Any clues much appreciated.
 
Back
Top