I've been trying to track them with MOM and have concluded that 642's are a "can of worms." What tends to happen is that a single change will generate one 642 with a description of the change (Account Unlocked, etc.), followed by one or more additional 642's with no description whatsoever.
I've even run across situations where I thought a 645 "Computer Account Created" should have been generated, but instead got a 642 "User Account Changed: User Account Created Target Account ID: TEST$ - that was from RIS I guess I could also use some help. Bruce Hansen -----Original Message----- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Monday, August 11, 2003 6:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] how to identify what got changed in a user's account? Hi, I am trying to identify exactly what got changed in a user's account (W2K domain). I know that a change will create a Security log record, EventID 642, category "Account Management", type "Success". It will identify the account that got changed ("Target Account ID") and who made the change ( "Caller User Name"). But how do you tell *exactly* what changed? Is there additional logging that must be enabled? Thank for any info! Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/