In 2003, I think this is a 627.
Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: "Ziots, Edward" <ezi...@lifespan.org> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Date: 11/29/2012 10:28 AM Subject: RE: Auditing proof of password change The admin password change should show in the Security Eventlog. David this is from Windows 2008 Auditing guidelines, Recommended Setting: Success and Failure (DC’s and Member Servers) Notes: This security policy setting determines whether the operating system generates audit events when the following user account management tasks are performed: · A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked. · A user account password is set or changed. · Security identifier (SID) history is added to a user account. · The Directory Services Restore Mode password is set. · Permissions on accounts that are members of administrators groups are changed. · Credential Manager Credentials are backed up or restored. · This policy setting is essential for tracking events that involve provisioning and managing user accounts. Event ID’s:4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 5376, 5377. Account Management User Account Management 4720 A user account was created. Windows Vista, Windows Server 2008 Account Management User Account Management 4722 A user account was enabled. Windows Vista, Windows Server 2008 Account Management User Account Management 4723 An attempt was made to change an account's password. Windows Vista, Windows Server 2008 Account Management User Account Management 4724 An attempt was made to reset an account's password. Windows Vista, Windows Server 2008 Account Management User Account Management 4725 A user account was disabled. Windows Vista, Windows Server 2008 Account Management User Account Management 4726 A user account was deleted. Windows Vista, Windows Server 2008 Account Management User Account Management 4738 A user account was changed. Windows Vista, Windows Server 2008 Account Management User Account Management 4740 A user account was locked out. Windows Vista, Windows Server 2008 Account Management User Account Management 4765 SID History was added to an account. Windows Vista, Windows Server 2008 Account Management User Account Management 4766 An attempt to add SID History to an account failed. Windows Vista, Windows Server 2008 Account Management User Account Management 4767 A user account was unlocked. Windows Vista, Windows Server 2008 Account Management User Account Management 4780 The ACL was set on accounts which are members of administrators groups. Windows Vista, Windows Server 2008 Account Management User Account Management 4781 The name of an account was changed: Windows Vista, Windows Server 2008 Account Management User Account Management 4794 An attempt was made to set the Directory Services Restore Mode. Windows Vista, Windows Server 2008 Account Management User Account Management 5376 Credential Manager credentials were backed up. Windows Vista, Windows Server 2008 Account Management User Account Management 5377 Credential Manager credentials were restored from a backup. Windows Vista, Windows Server 2008 Hit me offline if you need more. Z Edward E. Ziots, CISSP, Security +, Network + Security Engineer Lifespan Organization ezi...@lifespan.org From: David Lum [mailto:david....@nwea.org] Sent: Thursday, November 29, 2012 10:20 AM To: NT System Admin Issues Subject: Auditing proof of password change I have an audit request to prove that we change administrative passwords on a periodic basis. Surely some of you have to do this on occasion and if so, how do you go about it? Event log reporting? David Lum Sr. Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image/jpeg>>