Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(314444) - Security audit event 642 is logged when a property of an Active Directory user or machine account changes (if Account Management auditing is in use on the domain controllers). If the change involves turning on, turning off, locking, or unlocking an...

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 314444 - Last Review: January 31, 2007 - Revision: 5.7

Some changes to SAM accounts are not explained in audit event 642

Hotfix download is availableHotfix Download Available
View and request hotfix downloads
View products that this article applies to.
System TipThis article applies to a different version of Windows than the one you are using. Content in this article may not be relevant to you. Visit the Windows Vista Solution Center
This article was previously published under Q314444

On This Page

SYMPTOMS

Security audit event 642 is logged when a property of an Active Directory user or machine account changes (if Account Management auditing is in use on the domain controllers). If the change involves turning on, turning off, locking, or unlocking an account, the event description identifies the relevant operation. Other changes to the account that affect the userAccountControl attribute (for example, the Password required setting) are logged as a generic "Account Changed" audit event.
Back to the top

CAUSE

This problem occurs because SAM explicitly audits only changes to the "account disabled" and "account lockout" flags.
Back to the top

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910  (http://kbalertz.com/Feedback.aspx?kbNumber=260910/ ) How to obtain the latest Windows 2000 service pack
Back to the top

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version        Size       File name
   ----------------------------------------------------------
   15-Aug-2002  20:25  5.0.2195.5781    123,664  Adsldp.dll
   15-Aug-2002  20:25  5.0.2195.5781    131,344  Adsldpc.dll
   15-Aug-2002  20:25  5.0.2195.5781     62,736  Adsmsext.dll
   15-Aug-2002  20:25  5.0.2195.5992    358,160  Advapi32.dll
   15-Aug-2002  20:25  5.0.2195.5265     42,256  Basesrv.dll
   15-Aug-2002  20:25  5.0.2195.5855     49,424  Browser.dll
   15-Aug-2002  20:25  5.0.2195.6012    135,952  Dnsapi.dll
   15-Aug-2002  20:25  5.0.2195.6012     96,016  Dnsrslvr.dll
   15-Aug-2002  20:25  5.0.2195.5722     45,328  Eventlog.dll
   15-Aug-2002  20:25  5.0.2195.5907    222,992  Gdi32.dll
   15-Aug-2002  20:25  5.0.2195.5859    145,680  Kdcsvc.dll
   04-Jun-2002  22:31  5.0.2195.5859    199,952  Kerberos.dll
   15-Aug-2002  20:25  5.0.2195.6011    708,880  Kernel32.dll
   15-Jul-2002  16:52  5.0.2195.5940     71,024  Ksecdd.sys
   23-Jul-2002  00:54  5.0.2195.5960    507,152  Lsasrv.dll
   23-Jul-2002  00:54  5.0.2195.5960     33,552  Lsass.exe
   15-Aug-2002  20:25  5.0.2195.4733    332,560  Msgina.dll
   13-Aug-2002  01:54  5.0.2195.6006    108,816  Msv1_0.dll
   15-Aug-2002  20:25  5.0.2195.5979    307,472  Netapi32.dll
   15-Aug-2002  20:25  5.0.2195.5966    360,720  Netlogon.dll
   15-Aug-2002  20:25  5.0.2195.5979    916,752  Ntdsa.dll
   15-Aug-2002  20:25  5.0.2195.6015    387,856  Samsrv.dll
   15-Aug-2002  20:25  5.0.2195.5951    129,296  Scecli.dll
   15-Aug-2002  20:25  5.0.2195.5951    302,864  Scesrv.dll
   19-Jul-2002  01:45  5.0.2195.5950     64,000  Sp3res.dll
   15-Aug-2002  20:25  5.0.2195.6000    379,664  User32.dll
   15-Aug-2002  20:25  5.0.2195.5968    369,936  Userenv.dll
   15-Aug-2002  20:25  5.0.2195.5859     48,912  W32time.dll
   04-Jun-2002  22:32  5.0.2195.5859     57,104  W32tm.exe
   08-Aug-2002  23:23  5.0.2195.6003  1,642,416  Win32k.sys
   15-Aug-2002  16:30  5.0.2195.6013    179,472  Winlogon.exe
   15-Aug-2002  20:25  5.0.2195.5935    243,472  Winsrv.dll
   15-Aug-2002  20:25  5.0.2195.5944    125,712  Wldap32.dll
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
Back to the top

MORE INFORMATION

After you install this hotfix, all changes to the userAccountControl attribute flags are identified in the description field of audit event 642. This includes the following items from the Account tab for a user account (in the Active Directory Users and Computers snap-in):
  • Password never expires
  • Store password using reversible encryption
  • Smart card is required for interactive logon
  • Account is trusted for delegation
  • Account is sensitive and cannot be delegated
  • Use DES encryption types for this account
  • Do not require kerberos preauthentication
For additional information about the flags in the userAccountControl attribute, visit the following Microsoft Web site:
ADS_USER_FLAG_ENUM (http://msdn.microsoft.com/en-us/library/aa772300.aspx)
Note that two flags appear with these options in the Active Directory Users and Computers snap-in but are not changes to userAccountControl. Therefore, these flags are still audited as generic "Account Changed" items: "User cannot change password" and "User must change password at next logon."

The first is a change to the security descriptor on the account object. The second is a change to the pwdLastSet attribute. You can identify both of these by turning on Directory Services auditing. This provides details about which attributes are changed during a modify operation.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173  (http://kbalertz.com/Feedback.aspx?kbNumber=265173/ ) The Datacenter program and Windows 2000 Datacenter Server product
Back to the top
APPLIES TO
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Service Pack 3
Back to the top
Keywords: 
kbautohotfix kbhotfixserver kbqfe kbwin2ksp4fix kbbug kbfix kbqfe kbwin2000presp4fix KB314444
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting