Microsoft KB Archive/314444

= Some changes to SAM accounts are not explained in audit event 642 =

Article ID: 314444

Article Last Modified on 1/31/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 3

-



This article was previously published under Q314444



SYMPTOMS
Security audit event 642 is logged when a property of an Active Directory user or machine account changes (if Account Management auditing is in use on the domain controllers). If the change involves turning on, turning off, locking, or unlocking an account, the event description identifies the relevant operation. Other changes to the account that affect the userAccountControl attribute (for example, the Password required setting) are logged as a generic &quot;Account Changed&quot; audit event.



CAUSE
This problem occurs because SAM explicitly audits only changes to the &quot;account disabled&quot; and &quot;account lockout&quot; flags.



Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.   Date         Time   Version        Size       File name --  15-Aug-2002  20:25  5.0.2195.5781    123,664  Adsldp.dll 15-Aug-2002 20:25  5.0.2195.5781    131,344  Adsldpc.dll 15-Aug-2002 20:25  5.0.2195.5781     62,736  Adsmsext.dll 15-Aug-2002 20:25  5.0.2195.5992    358,160  Advapi32.dll 15-Aug-2002 20:25  5.0.2195.5265     42,256  Basesrv.dll 15-Aug-2002 20:25  5.0.2195.5855     49,424  Browser.dll 15-Aug-2002 20:25  5.0.2195.6012    135,952  Dnsapi.dll 15-Aug-2002 20:25  5.0.2195.6012     96,016  Dnsrslvr.dll 15-Aug-2002 20:25  5.0.2195.5722     45,328  Eventlog.dll 15-Aug-2002 20:25  5.0.2195.5907    222,992  Gdi32.dll 15-Aug-2002 20:25  5.0.2195.5859    145,680  Kdcsvc.dll 04-Jun-2002 22:31  5.0.2195.5859    199,952  Kerberos.dll 15-Aug-2002 20:25  5.0.2195.6011    708,880  Kernel32.dll 15-Jul-2002 16:52  5.0.2195.5940     71,024  Ksecdd.sys 23-Jul-2002 00:54  5.0.2195.5960    507,152  Lsasrv.dll 23-Jul-2002 00:54  5.0.2195.5960     33,552  Lsass.exe 15-Aug-2002 20:25  5.0.2195.4733    332,560  Msgina.dll 13-Aug-2002 01:54  5.0.2195.6006    108,816  Msv1_0.dll 15-Aug-2002 20:25  5.0.2195.5979    307,472  Netapi32.dll 15-Aug-2002 20:25  5.0.2195.5966    360,720  Netlogon.dll 15-Aug-2002 20:25  5.0.2195.5979    916,752  Ntdsa.dll 15-Aug-2002 20:25  5.0.2195.6015    387,856  Samsrv.dll 15-Aug-2002 20:25  5.0.2195.5951    129,296  Scecli.dll 15-Aug-2002 20:25  5.0.2195.5951    302,864  Scesrv.dll 19-Jul-2002 01:45  5.0.2195.5950     64,000  Sp3res.dll 15-Aug-2002 20:25  5.0.2195.6000    379,664  User32.dll 15-Aug-2002 20:25  5.0.2195.5968    369,936  Userenv.dll 15-Aug-2002 20:25  5.0.2195.5859     48,912  W32time.dll 04-Jun-2002 22:32  5.0.2195.5859     57,104  W32tm.exe 08-Aug-2002 23:23  5.0.2195.6003  1,642,416  Win32k.sys 15-Aug-2002 16:30  5.0.2195.6013    179,472  Winlogon.exe 15-Aug-2002 20:25  5.0.2195.5935    243,472  Winsrv.dll 15-Aug-2002 20:25  5.0.2195.5944    125,712  Wldap32.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.



MORE INFORMATION
After you install this hotfix, all changes to the userAccountControl attribute flags are identified in the description field of audit event 642. This includes the following items from the Account tab for a user account (in the Active Directory Users and Computers snap-in):
 * Password never expires
 * Store password using reversible encryption
 * Smart card is required for interactive logon
 * Account is trusted for delegation
 * Account is sensitive and cannot be delegated
 * Use DES encryption types for this account
 * Do not require kerberos preauthentication

For additional information about the flags in the userAccountControl attribute, visit the following Microsoft Web site:

ADS_USER_FLAG_ENUM

Note that two flags appear with these options in the Active Directory Users and Computers snap-in but are not changes to userAccountControl. Therefore, these flags are still audited as generic &quot;Account Changed&quot; items: &quot;User cannot change password&quot; and &quot;User must change password at next logon.&quot;

The first is a change to the security descriptor on the account object. The second is a change to the pwdLastSet attribute. You can identify both of these by turning on Directory Services auditing. This provides details about which attributes are changed during a modify operation.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:

265173 The Datacenter program and Windows 2000 Datacenter Server product

Keywords: kbbug kbfix kbwin2000presp4fix kbqfe kbwin2ksp4fix kbhotfixserver KB314444

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.