Who has changed the user pw in Active Directory

SAM2009
SAM2009 used Ask the Experts™
on
When I check a user account in my Active Directory (Windows 2003), I realized that someone has changed his pw.

How could I know who has changed the pw?

Thank you.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
But in caller user I got a serveur name instead user, what does it mean???
Top Expert 2013

Commented:
In addition to 628 event 642 will tell you too.
I've posted an example of each event, notice it tells me that an account called "administrator" made the change.  Are  you not seeing that in your logs?
That auditing should be on by default.
Thanks
Mike

628.gif
642.gif
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
This what I got, in "caller user name" I have the DC name with "$" sign...what does it mean:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Account Management
Event ID:      642
Date:            7/19/2009
Time:            6:11:15 PM
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      DCSRV01
Description:
User Account Changed:
       Target Account Name:      useradmin
       Target Domain:      LABO
       Target Account ID:      LABO\ useradmin
       Caller User Name:      DCSRV01$
       Caller Domain:      LABO
       Caller Logon ID:      (0x0,0x3E7)
       Privileges:      -
 Changed Attributes:
       Sam Account Name:      -
       Display Name:      -
       User Principal Name:      -
       Home Directory:      -
       Home Drive:      -
       Script Path:      -
       Profile Path:      -
       User Workstations:      -
       Password Last Set:      7/19/2009 6:11:15 PM
       Account Expires:      -
       Primary Group ID:      -
       AllowedToDelegateTo:      -
       Old UAC Value:      -
       New UAC Value:      -
       User Account Control:      -
       User Parameters:      -
       Sid History:      -
       Logon Hours:      -
DonNetwork Administrator

Commented:
Computer accounts have passwords too, and they change their own passwords by default every 30 days
http://technet.microsoft.com/en-us/library/cc785826(WS.10).aspx 

Author

Commented:
Ok someone came and told me that he has changed the pw...Ok I know it had been changed by a user but how come I did not see the user name and get instead pc name?

The guy told me that he changed the pw from Active Directory User and Computer by MMC.
Top Expert 2013

Commented:
Another good reference for computer account passwords is from the DS team
http://blogs.technet.com/askds/archive/2009/02/13/machine-account-password-process.aspx
Machine Account Password Process
Thanks
Mike
DonNetwork Administrator

Commented:
Sorry my comments arent complete enough that they have to be basically repeated.
.
"Thanks"
dstewartjr
Top Expert 2013

Commented:
Sometimes screenshots help people and I also added another event that you didn't mention. The second event I mentioned is another entry that can help track down changes.    I also thought the blog entry from the Microsoft Directory Services team would help some people.
Not every follow up comment is meant as an attack on your comment.   Sorry you took offense, I think more comments that may help are always good.  I certainly don't know everything...maybe you do.
What I won't do is hesitate to post a follow up if I think it will help out here or in the future if a question comes up via a google search.
 
Thanks
Mike
 

Author

Commented:
Ok thank you guy for your help.

I realized that we see the machine name instead because it has been change from remote.

Commented:
Thanks!
DonNetwork Administrator

Commented:
I might not have mentioned the second event, but the link I provided did
 
On Windows Server 2003 this event is only logged when a user changes his own password. For password resets by administrators see event 628. This event will also be accompanied by event 642 showing that the Password Last Set date field was updated.
Top Expert 2013

Commented:
In the end the user was helped and that is what matters.  
I admit I don't read every word in every link posted on other comments (time constraints)
I know I've gotten plenty of feedback in the past about screenshots helping people out.  If they don't help you then that is ok.
...again the user got his help and that is what matters.
Thanks
Mike
DonNetwork Administrator

Commented:
"I admit I don't read every word in every link posted on other comments (time constraints)"
But you have time to make the screenshots....hmmmm
Top Expert 2013

Commented:
Yes because that has helped people, before I read the other link I'll first usually try to test in my lab.  That is exactly what I did there.
Again I apologize if I have to test in my lab to confirm and if posting those results offends you then I'm sorry.  
I'll continue to test and post results from my lab.  I know it has helped others in the past.  I'm not going to argue with you anymore about this.    
DonNetwork Administrator

Commented:
Yup, I too like to use screenshots. Just thought I'd give you a hard time about the time constraints..... ;^D

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial