• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1124
  • Last Modified:

Auditing who changed the local administrator password of the Member server "POSSIBLE"?

Hello Experts ,

 I want to get the information , who has changed my local administrator password of a member server. I know it can be done in AD , but member server I am not sure.

 Is it possible to see the events related to it? Will it tells who has carried out the task?

Thanks,

_Prashant_
0
Prashant Girennavar
Asked:
Prashant Girennavar
  • 4
  • 3
1 Solution
 
Rob WilliamsCommented:
It is pretty hard to obtain that information after the event has occurred but for future detection you can enable detailed auditing and within the configuration, you can configure the systems and successful and/or failed events you wish to audit. Following articles outline how to enable and analyze the results:
http://support.microsoft.com/kb/814595/
http://www.windowsecurity.com/articles/Understanding_Windows_Logging.html
http://207.46.19.60/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
0
 
Prashant GirennavarAuthor Commented:
Thanks Rob ,

 The links which you have provided are AD Specific ( I know the Auditing in AD ). Now my question is , Can I audit the local administrator member password reset events?

 SInce this is being a local administrator account , Can we configure who has reset the local administrator password of a member server?

If this is possible , then How to carry out this task?

Thanks,

_Prashant_
0
 
Rob WilliamsCommented:
Though I admit I have not done it the same policy objects exists in local group policy on the member server under administrative tools / local security policy, which will audit local accounts.

Again as mentioned though this will not supply any information about past events, only from this point forward.  The logs do get large as well.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Prashant GirennavarAuthor Commented:
Rob,

 I understand that it wont show the past events. I have configuerd it on my test machine and changed the local administrator password of it....

Guess what it worked ,  the Event Which got generated was 642 under security event logs....

so,
 Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy\Audit account management is the auditing setting which needs to be enabled for this.

I have not tested this with 2008 server ( AS I dont have the test machine).

It worked for me......

Thanks for your help Rob

Cheers,

_Prashant_
0
 
Prashant GirennavarAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for PrashantGirennavar's comment #a38394999
Assisted answer: 200 points for RobWill's comment #a38394658

for the following reason:

Tested by myself
0
 
Prashant GirennavarAuthor Commented:
For windows server 2008 - Event ID is  - 4738.
0
 
Rob WilliamsCommented:
Thanks PrashantGirennavar.
Glad to hear it worked for you.
Cheers!
--Rob
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now