Hi Jason,
Thanks for posting!
I understand that event ID 1000, Event ID 644 and Event ID 642 are logged
in Event log on the Window 2000 DC after you changed an administrator's
password. If I have misunderstood your concerns, please feel free to let me
know.
Based on my research, security audit event 642 is logged when a property of
an Active Directory user or machine account changes (if Account Management
auditing is in use on the domain controllers). If the change involves
turning on, turning off, locking, or unlocking an account, the event
description identifies the relevant operation. Other changes to the account
that affect the userAccountControl attribute (for example, the Password
required setting) are logged as a generic "Account Changed" audit event.
To resolve this problem, please attempt to install Microsoft Windows 2000
Service Pack 4.
Get Windows 2000 SP4 Now
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/download.asp
More detailed information for your reference:
314444 Some changes to SAM accounts are not explained in audit event 642
http://support.microsoft.com/default.aspx?scid=kb;en-us;314444
Hope the information helps. If there is anything that is unclear, please
feel free to let me know.
Thanks & Regards,
Jason Tan
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: problems after administrator password change
| thread-index: AcXLM7Z2K6vrExKIRR6Zc2Sfqs61EQ==
| X-WBNR-Posting-Host: 83.247.136.10
| From: "=?Utf-8?B?amFzb24=?=" <
[email protected]>
| Subject: problems after administrator password change
| Date: Fri, 7 Oct 2005 04:39:01 -0700
| Lines: 21
| Message-ID: <
[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.advanced_server
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.advanced_server:6491
| X-Tomcat-NG: microsoft.public.win2000.advanced_server
|
| i've a w2000 domain, after an administrator pwd change i keep receiving
in
| some eventlogs that error
|
| application log
|
| event id 1000 [can't determine username or machine] returned value 1326.
|
| Aprox every 1:30 hours
|
| also i noticed that in security log (i audit correc privilege used) i
| receive event id 644(blocked administrator account) and next 642
(unblocked?).
|
| Any help?? i revised all scheduled tasks and updated the pwd. Also no
| service uses administrator account.
|
|
| thanx.
|
| --
| information is like sex if good is fantastic if not.... oh... better than
| nuthin'
|
