?
Solved

How do I find out who changed a password.

Posted on 2007-10-08
4
Medium Priority
?
6,029 Views
Last Modified: 2013-12-04
User Account Changed:
 I have looked in the security event viewer for Eventid 642 and this is the result. The User is NT AUTHORITY\ANONYMOUS LOGON       

Target Account Name:      MyAccount
       Target Domain:      Mydomain
       Target Account ID:      MyDomain\MyAccount
       Caller User Name:      ANONYMOUS LOGON
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0x376F31CA)
       Privileges:      -
 Changed Attributes:
       Sam Account Name:      -
       Display Name:      -
       User Principal Name:      -
       Home Directory:      -
       Home Drive:      -
       Script Path:      -
       Profile Path:      -
       User Workstations:      -
       Password Last Set:      10/5/2007 12:09:50 PM
       Account Expires:      -
       Primary Group ID:      -
       AllowedToDelegateTo:      -
       Old UAC Value:      -
       New UAC Value:      -
       User Account Control:      -
       User Parameters:      -
       Sid History:      -
       Logon Hours:      -

I am trying to track down either the computer os user who made this change.

Thanks
0
Comment
Question by:hamiltonitdept
  • 2
4 Comments
 
LVL 3

Assisted Solution

by:laskovd
laskovd earned 300 total points
ID: 20036428
Its local user or under some domain\AD?
Try to check closest Events to check any security changes (user logon\logoff, permisson granted etc)
maybe it will hopeful:
http://www.windowsitpro.com/Articles/ArticleID/15361/15361.html?Ad=1
0
 

Author Comment

by:hamiltonitdept
ID: 20036641
It is a domain user
0
 
LVL 3

Assisted Solution

by:laskovd
laskovd earned 300 total points
ID: 20036746
So user change may be performed on client station or on domain controllers itself. So You may need to check security logs also on all domain controllers available.
0
 
LVL 5

Accepted Solution

by:
Fridolin Mansmann earned 450 total points
ID: 20063632
I also think you have to search in the security logs on all domain controllers.

Get tools here:
https://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Use eventcombMT.exe to search for security event 642 on all domain controllers.
Use nltest.exe from Windows Resource Kit tools to get the list of DCs:

Start - Run - cmd
nltest /DCLIST:<domainname>
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
OfficeMate Freezes on login or does not load after login credentials are input.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question