Service account name change

Is it possible for a service account to have its username changed other than manual intervention. Also what is the event ID for a username change.
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

mark1208Connect With a Mentor Commented:
Hi polbexpert2,

I can't think of any scenario that would automatically rename an account on WS2003 or AD. Something usually has to intentionally modify it, based on user input (ADUC, script, etc.).

Other than that, the Event IDs you're looking for are:
685: Name of an account was changed.
642: A user account was changed.
WS2003 Example (685):
Account Name Changed:
   Old Account Name: DC1$
   New Account Name: DC3$
   Target Domain:  ACME
   Target Account ID: ACME\DC3$
   Caller User Name: administrator
   Caller Domain: ACME
   Caller Logon ID: (0x0,0x3C154)
   Privileges: -

XP Example (685):
Account Name Changed:
   Old Account Name: Guest
   New Account Name: Guest1
   Target Domain:  STG
   Target Account ID: STG\Guest1
   Caller User Name: wsmith
   Caller Domain: STG
   Caller Logon ID: (0x0,0x3013E)
   Privileges: -

These will show in the Security log, provided that the "Audit account management" policy is set to Success (the default for WS2003 domain controllers but not member servers). See for more info.

Hope this helps!
no is not posible only manual option is posible...
Hi polbexpert2, did the response(s) provided above address your questions? Please follow-up so us experts can research  further or attempt a different troubleshooting approach.   :)

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

polbexpert2Author Commented:
mark I looked up the events and while i didn't find any I believe the events might have been purged from the system already.
Depending on your specific configuration and the frequency with which the Security log is overwritten on your DCs, it is very possible that the rename events you're looking for have aged out already.

Most firms get around this issue and satisfy audit requirements by: 1) configuring a lag (delayed replication) site within AD, and/or 2) by leveraging third-party security solutions such as Symantec Control Compliance Suite or Microsoft Forefront Identity Manager. Also popular is restricting access to ADUC on the front-end and forcing support personnel to perform account administration tasks using third-party identity management solutions (since these have infinitely better logging/searching capabilities than the default Microsoft solution).

Other than taking proactive steps now to ensure that future audit information remains accessible when needed, I'm afraid there's not much you can do at this point.  :(

Hi polbexpert2, just following up. Any further questions/issues I can help with?

All Courses

From novice to tech pro — start learning today.