Service account name change

Is it possible for a service account to have its username changed other than manual intervention. Also what is the event ID for a username change.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

no is not posible only manual option is posible...
Hi polbexpert2,

I can't think of any scenario that would automatically rename an account on WS2003 or AD. Something usually has to intentionally modify it, based on user input (ADUC, script, etc.).

Other than that, the Event IDs you're looking for are:
685: Name of an account was changed.
642: A user account was changed.
WS2003 Example (685):
Account Name Changed:
   Old Account Name: DC1$
   New Account Name: DC3$
   Target Domain:  ACME
   Target Account ID: ACME\DC3$
   Caller User Name: administrator
   Caller Domain: ACME
   Caller Logon ID: (0x0,0x3C154)
   Privileges: -

XP Example (685):
Account Name Changed:
   Old Account Name: Guest
   New Account Name: Guest1
   Target Domain:  STG
   Target Account ID: STG\Guest1
   Caller User Name: wsmith
   Caller Domain: STG
   Caller Logon ID: (0x0,0x3013E)
   Privileges: -

These will show in the Security log, provided that the "Audit account management" policy is set to Success (the default for WS2003 domain controllers but not member servers). See for more info.

Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hi polbexpert2, did the response(s) provided above address your questions? Please follow-up so us experts can research  further or attempt a different troubleshooting approach.   :)

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

polbexpert2Author Commented:
mark I looked up the events and while i didn't find any I believe the events might have been purged from the system already.
Depending on your specific configuration and the frequency with which the Security log is overwritten on your DCs, it is very possible that the rename events you're looking for have aged out already.

Most firms get around this issue and satisfy audit requirements by: 1) configuring a lag (delayed replication) site within AD, and/or 2) by leveraging third-party security solutions such as Symantec Control Compliance Suite or Microsoft Forefront Identity Manager. Also popular is restricting access to ADUC on the front-end and forcing support personnel to perform account administration tasks using third-party identity management solutions (since these have infinitely better logging/searching capabilities than the default Microsoft solution).

Other than taking proactive steps now to ensure that future audit information remains accessible when needed, I'm afraid there's not much you can do at this point.  :(

Hi polbexpert2, just following up. Any further questions/issues I can help with?

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.