Prashant Girennavar
asked on
Auditing who changed the local administrator password of the Member server "POSSIBLE"?
Hello Experts ,
I want to get the information , who has changed my local administrator password of a member server. I know it can be done in AD , but member server I am not sure.
Is it possible to see the events related to it? Will it tells who has carried out the task?
Thanks,
_Prashant_
I want to get the information , who has changed my local administrator password of a member server. I know it can be done in AD , but member server I am not sure.
Is it possible to see the events related to it? Will it tells who has carried out the task?
Thanks,
_Prashant_
ASKER
Thanks Rob ,
The links which you have provided are AD Specific ( I know the Auditing in AD ). Now my question is , Can I audit the local administrator member password reset events?
SInce this is being a local administrator account , Can we configure who has reset the local administrator password of a member server?
If this is possible , then How to carry out this task?
Thanks,
_Prashant_
The links which you have provided are AD Specific ( I know the Auditing in AD ). Now my question is , Can I audit the local administrator member password reset events?
SInce this is being a local administrator account , Can we configure who has reset the local administrator password of a member server?
If this is possible , then How to carry out this task?
Thanks,
_Prashant_
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rob,
I understand that it wont show the past events. I have configuerd it on my test machine and changed the local administrator password of it....
Guess what it worked , the Event Which got generated was 642 under security event logs....
so,
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy\Audit account management is the auditing setting which needs to be enabled for this.
I have not tested this with 2008 server ( AS I dont have the test machine).
It worked for me......
Thanks for your help Rob
Cheers,
_Prashant_
I understand that it wont show the past events. I have configuerd it on my test machine and changed the local administrator password of it....
Guess what it worked , the Event Which got generated was 642 under security event logs....
so,
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy\Audit account management is the auditing setting which needs to be enabled for this.
I have not tested this with 2008 server ( AS I dont have the test machine).
It worked for me......
Thanks for your help Rob
Cheers,
_Prashant_
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for PrashantGirennavar's comment #a38394999
Assisted answer: 200 points for RobWill's comment #a38394658
for the following reason:
Tested by myself
Accepted answer: 0 points for PrashantGirennavar's comment #a38394999
Assisted answer: 200 points for RobWill's comment #a38394658
for the following reason:
Tested by myself
ASKER
For windows server 2008 - Event ID is - 4738.
Thanks PrashantGirennavar.
Glad to hear it worked for you.
Cheers!
--Rob
Glad to hear it worked for you.
Cheers!
--Rob
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx