Reset password audit

[misaro]

Hi,

I'm auditing all events availables by microsoft for
auditings purposes, but when some user adminitrator change
the password for any account i can not to know who did it
and when happened.

I mean is any missing on the config or what i must to
do...

Thanks any help!!!!

 

[Steven L Umbach]

Make sure auditing of account management is enabled and look for Event IDs
642 or 628 in the security log being sure to look at the whole description -
the name of the perpetrator should be in a line in there. You say you are
auditing everything?? That is a lot and you may be looking for a needle in a
haystack. For instance you may not want to audit object access, process
tracking, or privilige use unless you have specific reasons to but it is not
a general practice. --- Steve

 

[Guest]

I'm checking right now my DC Event Security Log, do not
have any event id 642-628, such as i am auditing process
tracking -object access. When i check again my audit
policy found i am auditing account management only for
failure (-) and not successful (+).

I am going to audit both (-),(+) and remove process
tracking-object access certainly i don't need it.

Anyway let me know if this changes will help to receive
event id's as you told me.

Thanks a lot !

 

[Steven L Umbach]

Enabling auditing of account management should record successful password changes.
You don't really need auditing of object access unless you are going to be auditing
access to files/folders. --- Steve