How do I find out who changed a password.

User Account Changed:
 I have looked in the security event viewer for Eventid 642 and this is the result. The User is NT AUTHORITY\ANONYMOUS LOGON       

Target Account Name:      MyAccount
       Target Domain:      Mydomain
       Target Account ID:      MyDomain\MyAccount
       Caller User Name:      ANONYMOUS LOGON
       Caller Domain:      NT AUTHORITY
       Caller Logon ID:      (0x0,0x376F31CA)
       Privileges:      -
 Changed Attributes:
       Sam Account Name:      -
       Display Name:      -
       User Principal Name:      -
       Home Directory:      -
       Home Drive:      -
       Script Path:      -
       Profile Path:      -
       User Workstations:      -
       Password Last Set:      10/5/2007 12:09:50 PM
       Account Expires:      -
       Primary Group ID:      -
       AllowedToDelegateTo:      -
       Old UAC Value:      -
       New UAC Value:      -
       User Account Control:      -
       User Parameters:      -
       Sid History:      -
       Logon Hours:      -

I am trying to track down either the computer os user who made this change.

Thanks
hamiltonitdeptSenior Network EngineerAsked:
Who is Participating?
 
Fridolin MansmannConnect With a Mentor Master of Business Engineering ManagementCommented:
I also think you have to search in the security logs on all domain controllers.

Get tools here:
https://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Use eventcombMT.exe to search for security event 642 on all domain controllers.
Use nltest.exe from Windows Resource Kit tools to get the list of DCs:

Start - Run - cmd
nltest /DCLIST:<domainname>
0
 
laskovdConnect With a Mentor Commented:
Its local user or under some domain\AD?
Try to check closest Events to check any security changes (user logon\logoff, permisson granted etc)
maybe it will hopeful:
http://www.windowsitpro.com/Articles/ArticleID/15361/15361.html?Ad=1
0
 
hamiltonitdeptSenior Network EngineerAuthor Commented:
It is a domain user
0
 
laskovdConnect With a Mentor Commented:
So user change may be performed on client station or on domain controllers itself. So You may need to check security logs also on all domain controllers available.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.