How to audit service password change?

Have a client with Server 2003, and 2 services run under user who is a domain administrator.  No one logs in as this user.  Occasionally the services stop and when I try to restart them, it can't due to a logon failure.  When I change the password in the service to what it should be, the service can start.

The domain account password isn't being changed in Active Directory, just the service it seems.

What is the best way to audit when a password is changed for a service?
CTS-TechAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
Use auditing on the corresponding registry key for that service below HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
You will see what process/user did change the info if you log writes.
0
CTS-TechAuthor Commented:
Do I do that in the registry?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

McKnifeCommented:
Yes. Rightclick HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services, choose "permissions" ->advanced ->auditing ->audit writes to that key for the group "everyone". To activate auditing, you need to set also the following:
->secpol.msc ->loc. pol. ->aud. pol. -> audit object access ->set to "enabled". From then on, writes to that key are logged in the security event log which you find after starting eventvwr.exe.
0
CTS-TechAuthor Commented:
I found the issue.  Previous IT guy had Group Policy permissions set to only allow certain accounts to login as a service.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CTS-TechAuthor Commented:
Thanks guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.