Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1114
  • Last Modified:

Auditing who changed the local administrator password of the Member server "POSSIBLE"?

Hello Experts ,

 I want to get the information , who has changed my local administrator password of a member server. I know it can be done in AD , but member server I am not sure.

 Is it possible to see the events related to it? Will it tells who has carried out the task?

Thanks,

_Prashant_
0
Prashant Girennavar
Asked:
Prashant Girennavar
  • 4
  • 3
1 Solution
 
Rob WilliamsCommented:
It is pretty hard to obtain that information after the event has occurred but for future detection you can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
0
 
Prashant GirennavarAuthor Commented:
Thanks Rob ,

 The links which you have provided are AD Specific ( I know the Auditing in AD ). Now my question is , Can I audit the local administrator member password reset events?

 SInce this is being a local administrator account , Can we configure who has reset the local administrator password of a member server?

If this is possible , then How to carry out this task?

Thanks,

_Prashant_
0
 
Rob WilliamsCommented:
Though I admit I have not done it the same policy objects exists in local group policy on the member server under administrative tools / local security policy, which will audit local accounts.

Again as mentioned though this will not supply any information about past events, only from this point forward.  The logs do get large as well.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Prashant GirennavarAuthor Commented:
Rob,

 I understand that it wont show the past events. I have configuerd it on my test machine and changed the local administrator password of it....

Guess what it worked ,  the Event Which got generated was 642 under security event logs....

so,
 Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy\Audit account management is the auditing setting which needs to be enabled for this.

I have not tested this with 2008 server ( AS I dont have the test machine).

It worked for me......

Thanks for your help Rob

Cheers,

_Prashant_
0
 
Prashant GirennavarAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for PrashantGirennavar's comment #a38394999
Assisted answer: 200 points for RobWill's comment #a38394658

for the following reason:

Tested by myself
0
 
Prashant GirennavarAuthor Commented:
For windows server 2008 - Event ID is  - 4738.
0
 
Rob WilliamsCommented:
Thanks PrashantGirennavar.
Glad to hear it worked for you.
Cheers!
--Rob
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now