Event ID 643

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm looking for information regarding Security Event Log events beyond what
is available in the event log itself. Currently, I'm most interested in what
a 643 event is on a standalone Windows 2000 server. We see this event daily
on several machines, but not regular intervals. One interesting thing is
that all machines have IIS installed.

The event says it is a password policy change, but there are no details as
to what the actual change was. When I go in and change the password policy
on the local machine, the event gets generated but there is no more
information than the events that just "pop up" every once in a while. I
would appreciate any information either regarding this specific event ID or
any (very detailed) reference explaining security event logs. I found a KB
article referencing security events, but it just gives an example of what you
would see in the event log anyway.
 
Hi Steve,

I would like to confirm my understanding of this issue:
You have noticed that Event ID 643 is logged in the application log in
win2k server. However, what do you mean by " on a standalone Windows 2000
server"? Is this server in the domain or a workgroup?

Technically speaking, Event ID 643 has indicated that Domain Policy
Changed. As you have found, this policy will be generated when you change
the domain policy or local policy as described in the following link:

http://support.microsoft.com/default.aspx?scid=kb;en-us;301677

Based on my research, Event ID 643 could be trigger by the following causes:

1. By design behavior.
============================
This behavior is by design and is not indicating a problem with security or
auditing. This audit event can be safely ignored.

"Password Policy Change" (event 643) does not distinguish between policy
refresh and actual password policy change. Thus, each time that a client
or server refreshes their local security policy (5 minutes for Active
Directory domain clients or 16 hours for NT 4.0 domain clients), the audit
event 643 occurs.

In the event that there is no associated Event 1704 in the application
event log for a 643 event, then this may very well be because of a password
policy change.

2. Refreshes its local security policy
========================================
This event is logged each time that the server refreshes its local security
policy.

This is normal behavior when a Windows 2000 system refreshes the policy,
the specific audit mechanism for password policies doesn't differentiate
between a policy refresh and a policy update. Thus, each refresh registers
a 643 event.

3. DC has reached the an enforce interval
=========================================

The Domain Controller has reached an enforce interval for Security Policy
as
defined by the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
A}

Value: MaxNoGPOListChangesInterval
Data: Minutes of delay, entered in hexadecimal

By default, this value is set to 0x3c0, (960 minutes or 16 hours)

For more details how to resolve this issue, please refer to the following
article:

277543 How to delay security policies from being applied
http://support.microsoft.com/?id=277543


In the conclusion, I believe you don't need to worry about this event log,
probably, you have encounter a by design behavior.

In addition, if you want to track the domain policy change, there is no
built-in tool to achieve this goal. Based on my further research, there is
a third-party tool which can compare gpttmpl.inf file. For example, if you
save the current gpttmpl.inf file which is located in sysvol folder (you
can search gpttmpl.inf in the sysvol folder), when the domain policy
changes, compare the current version of gpttmpl.inf with the original one
by using WinDiff function or manually compare to find out the difference.

Another method is to compare the settings using GPMC. A third-party tool
called TripWire provides change control down to the contents of a file.
(http://www.tripwire.com).

Note: The third-party product discussed is manufactured by a vendor
independent of Microsoft; we make no warranty, implied or otherwise,
regarding this product's performance or reliability.

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thanks for the very comprehensive response. The servers in question are part
of a workgroup. The odd thing is, it seems that only machines with IIS
installed are creating this event log entry, and the pattern seems to be
between 14 and 20 hours in between.
 
Just to clarify - this is showing up in the Security Event log, not
Application Event log.
 
Hi Steve,

Thanks for the event log!

After researching the event log, I have found the Caller User Name is
CSMONITOR$ in the security log, it seems the system has raised this error.
In addition, the caller Domain is DATACENTERNYC, I am a little unclear
about this situation since you have stated it is a stand-alone machine.
Please let me know DATACENTERNYC refers to a domain?

An important cent is that I have found the corresponding application log
"Event log 1704".

Event log 1704 has indicated that security policy in the Group policy
objects has been applied successfully. You can notice that at this time,
security log 643 has been recorded in the security log.

In the conclusion, one policy on CSMONITOR has been changed so that event
log 1704 has been recorded in the application log and the corresponding
security log 643.

This is a normal behavior in a domain environment, please double check if
the machine is in a domain (In My Computer's Properties->Computer Name tab,
you can see the domain name). If it is a stand-alone machine, please
compare the gpttmpl.inf file as I have mentioned to find out which policy
has been changed.

Please use the steps to check the status and post back if you have any
update.

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
But, that's the problem. There was no change made. I'm aware of everything
you stated below, and yest DATACENTERNYC is a workgroup so the event log is a
bit confusing. Also, there is no gpttmpl.inf file on the machine.

I set up another machine in a lab the same way as our DATACENTERNYC machines
with IIS and the local security policy. Interestingly enough, Event 643 is
NOT showing up in the logs. The only difference between the lab and
production machines is Compaq management software.
 
Hi Steve,

According to your description, I suspect certain third-party application
has changed the local policy to trgger this Event. If Compaq management
software is installed on the productive machine, please install this
applicatin on the test machine with the same configuration to observe the
result.

If possible, please remove Compaq management software from the production
machine, what is the result?

If the issue persists, please refer to the following link to gather the
MpsReport on both production and the test machine, send them to
(e-mail address removed) for research.

I look forward to your reply.

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Here is the MpsReport link:

Microsoft Product Support's Reporting Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-
88b7-f9c79b7306c0&displaylang=en

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Steve ,

I am glad to hear this issue has gone after installing the patches. That is
great!

What kind of patch have you installed, Windows or Compaq management
software ?

For any reason, the system now is aware of that the policy ahs not been
changed. :)

Any update, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Steve said:
================
Thanks for your help Rebecca, but we can stop looking into. I have
installed some hotfixes that made the 643 event go away in all but one
machine which can't be patched due to the applications installed.

Thanks again,
Steve Fix
 
Back
Top