Article ID: 314444
Article Last Modified on 1/31/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
This article was previously published under Q314444
SYMPTOMS
Security audit event 642 is logged when a property of an Active Directory user or machine account changes (if Account Management auditing is in use on the domain controllers). If the change involves turning on, turning off, locking, or unlocking an account, the event description identifies the relevant operation. Other changes to the account that affect the userAccountControl attribute (for example, the Password required setting) are logged as a generic "Account Changed" audit event.
CAUSE
This problem occurs because SAM explicitly audits only changes to the "account disabled" and "account lockout" flags.
RESOLUTION
Service pack information
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
Hotfix information
A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.
To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ---------------------------------------------------------- 15-Aug-2002 20:25 5.0.2195.5781 123,664 Adsldp.dll 15-Aug-2002 20:25 5.0.2195.5781 131,344 Adsldpc.dll 15-Aug-2002 20:25 5.0.2195.5781 62,736 Adsmsext.dll 15-Aug-2002 20:25 5.0.2195.5992 358,160 Advapi32.dll 15-Aug-2002 20:25 5.0.2195.5265 42,256 Basesrv.dll 15-Aug-2002 20:25 5.0.2195.5855 49,424 Browser.dll 15-Aug-2002 20:25 5.0.2195.6012 135,952 Dnsapi.dll 15-Aug-2002 20:25 5.0.2195.6012 96,016 Dnsrslvr.dll 15-Aug-2002 20:25 5.0.2195.5722 45,328 Eventlog.dll 15-Aug-2002 20:25 5.0.2195.5907 222,992 Gdi32.dll 15-Aug-2002 20:25 5.0.2195.5859 145,680 Kdcsvc.dll 04-Jun-2002 22:31 5.0.2195.5859 199,952 Kerberos.dll 15-Aug-2002 20:25 5.0.2195.6011 708,880 Kernel32.dll 15-Jul-2002 16:52 5.0.2195.5940 71,024 Ksecdd.sys 23-Jul-2002 00:54 5.0.2195.5960 507,152 Lsasrv.dll 23-Jul-2002 00:54 5.0.2195.5960 33,552 Lsass.exe 15-Aug-2002 20:25 5.0.2195.4733 332,560 Msgina.dll 13-Aug-2002 01:54 5.0.2195.6006 108,816 Msv1_0.dll 15-Aug-2002 20:25 5.0.2195.5979 307,472 Netapi32.dll 15-Aug-2002 20:25 5.0.2195.5966 360,720 Netlogon.dll 15-Aug-2002 20:25 5.0.2195.5979 916,752 Ntdsa.dll 15-Aug-2002 20:25 5.0.2195.6015 387,856 Samsrv.dll 15-Aug-2002 20:25 5.0.2195.5951 129,296 Scecli.dll 15-Aug-2002 20:25 5.0.2195.5951 302,864 Scesrv.dll 19-Jul-2002 01:45 5.0.2195.5950 64,000 Sp3res.dll 15-Aug-2002 20:25 5.0.2195.6000 379,664 User32.dll 15-Aug-2002 20:25 5.0.2195.5968 369,936 Userenv.dll 15-Aug-2002 20:25 5.0.2195.5859 48,912 W32time.dll 04-Jun-2002 22:32 5.0.2195.5859 57,104 W32tm.exe 08-Aug-2002 23:23 5.0.2195.6003 1,642,416 Win32k.sys 15-Aug-2002 16:30 5.0.2195.6013 179,472 Winlogon.exe 15-Aug-2002 20:25 5.0.2195.5935 243,472 Winsrv.dll 15-Aug-2002 20:25 5.0.2195.5944 125,712 Wldap32.dll
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
MORE INFORMATION
After you install this hotfix, all changes to the userAccountControl attribute flags are identified in the description field of audit event 642. This includes the following items from the Account tab for a user account (in the Active Directory Users and Computers snap-in):
- Password never expires
- Store password using reversible encryption
- Smart card is required for interactive logon
- Account is trusted for delegation
- Account is sensitive and cannot be delegated
- Use DES encryption types for this account
- Do not require kerberos preauthentication
For additional information about the flags in the userAccountControl attribute, visit the following Microsoft Web site:
Note that two flags appear with these options in the Active Directory Users and Computers snap-in but are not changes to userAccountControl. Therefore, these flags are still audited as generic "Account Changed" items: "User cannot change password" and "User must change password at next logon."
The first is a change to the security descriptor on the account object. The second is a change to the pwdLastSet attribute. You can identify both of these by turning on Directory Services auditing. This provides details about which attributes are changed during a modify operation.
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:
265173 The Datacenter program and Windows 2000 Datacenter Server product
Keywords: kbbug kbfix kbwin2000presp4fix kbqfe kbwin2ksp4fix kbhotfixserver KB314444