Seems like that level of auditing should do the trick - you just need it enabled on your domain controllers. Default domain policy would set it on all computer in your domain (not necessarily a bad thing, but not necessary in this case). Filter for event ID 627 or 628 in your security logs for your domain controllers.
James Winzenz Infrastructure Engineer - Security Pulte Homes Information Services ________________________________ From: Ziots, Edward [mailto:[EMAIL PROTECTED] Posted At: Friday, February 01, 2008 11:07 AM Posted To: NTSysadmin Conversation: Question on Account Management in AD Subject: Question on Account Management in AD Importance: High Folks, I have been asked to try and find who changed a password to a user account in AD. At the Domain Controllers Policy Level ( Account Management is Success and Failure) When I look at the accounts the auditing is for success and failure. Do I also need to enable this at the Default Domain Policy *( I don't think I do, but just need a quick sanity check) Z Edward E. Ziots Netwok Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by email and delete the message and any file attachments from your computer. Thank you. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~