Some changes to SAM accounts are not explained in audit event 642 (314444)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
This article was previously published under Q314444

SYMPTOMS

Security audit event 642 is logged when a property of an Active Directory user or machine account changes (if Account Management auditing is in use on the domain controllers). If the change involves turning on, turning off, locking, or unlocking an account, the event description identifies the relevant operation. Other changes to the account that affect the userAccountControl attribute (for example, the Password required setting) are logged as a generic "Account Changed" audit event.

CAUSE

This problem occurs because SAM explicitly audits only changes to the "account disabled" and "account lockout" flags.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

Hotfix information

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that is described in this article. Only apply it to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows 2000 service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
   Date         Time   Version        Size       File name
   ----------------------------------------------------------
   15-Aug-2002  20:25  5.0.2195.5781    123,664  Adsldp.dll
   15-Aug-2002  20:25  5.0.2195.5781    131,344  Adsldpc.dll
   15-Aug-2002  20:25  5.0.2195.5781     62,736  Adsmsext.dll
   15-Aug-2002  20:25  5.0.2195.5992    358,160  Advapi32.dll
   15-Aug-2002  20:25  5.0.2195.5265     42,256  Basesrv.dll
   15-Aug-2002  20:25  5.0.2195.5855     49,424  Browser.dll
   15-Aug-2002  20:25  5.0.2195.6012    135,952  Dnsapi.dll
   15-Aug-2002  20:25  5.0.2195.6012     96,016  Dnsrslvr.dll
   15-Aug-2002  20:25  5.0.2195.5722     45,328  Eventlog.dll
   15-Aug-2002  20:25  5.0.2195.5907    222,992  Gdi32.dll
   15-Aug-2002  20:25  5.0.2195.5859    145,680  Kdcsvc.dll
   04-Jun-2002  22:31  5.0.2195.5859    199,952  Kerberos.dll
   15-Aug-2002  20:25  5.0.2195.6011    708,880  Kernel32.dll
   15-Jul-2002  16:52  5.0.2195.5940     71,024  Ksecdd.sys
   23-Jul-2002  00:54  5.0.2195.5960    507,152  Lsasrv.dll
   23-Jul-2002  00:54  5.0.2195.5960     33,552  Lsass.exe
   15-Aug-2002  20:25  5.0.2195.4733    332,560  Msgina.dll
   13-Aug-2002  01:54  5.0.2195.6006    108,816  Msv1_0.dll
   15-Aug-2002  20:25  5.0.2195.5979    307,472  Netapi32.dll
   15-Aug-2002  20:25  5.0.2195.5966    360,720  Netlogon.dll
   15-Aug-2002  20:25  5.0.2195.5979    916,752  Ntdsa.dll
   15-Aug-2002  20:25  5.0.2195.6015    387,856  Samsrv.dll
   15-Aug-2002  20:25  5.0.2195.5951    129,296  Scecli.dll
   15-Aug-2002  20:25  5.0.2195.5951    302,864  Scesrv.dll
   19-Jul-2002  01:45  5.0.2195.5950     64,000  Sp3res.dll
   15-Aug-2002  20:25  5.0.2195.6000    379,664  User32.dll
   15-Aug-2002  20:25  5.0.2195.5968    369,936  Userenv.dll
   15-Aug-2002  20:25  5.0.2195.5859     48,912  W32time.dll
   04-Jun-2002  22:32  5.0.2195.5859     57,104  W32tm.exe
   08-Aug-2002  23:23  5.0.2195.6003  1,642,416  Win32k.sys
   15-Aug-2002  16:30  5.0.2195.6013    179,472  Winlogon.exe
   15-Aug-2002  20:25  5.0.2195.5935    243,472  Winsrv.dll
   15-Aug-2002  20:25  5.0.2195.5944    125,712  Wldap32.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

MORE INFORMATION

After you install this hotfix, all changes to the userAccountControl attribute flags are identified in the description field of audit event 642. This includes the following items from the Account tab for a user account (in the Active Directory Users and Computers snap-in):
  • Password never expires
  • Store password using reversible encryption
  • Smart card is required for interactive logon
  • Account is trusted for delegation
  • Account is sensitive and cannot be delegated
  • Use DES encryption types for this account
  • Do not require kerberos preauthentication
For additional information about the flags in the userAccountControl attribute, visit the following Microsoft Web site:

ADS_USER_FLAG_ENUM

Note that two flags appear with these options in the Active Directory Users and Computers snap-in but are not changes to userAccountControl. Therefore, these flags are still audited as generic "Account Changed" items: "User cannot change password" and "User must change password at next logon."

The first is a change to the security descriptor on the account object. The second is a change to the pwdLastSet attribute. You can identify both of these by turning on Directory Services auditing. This provides details about which attributes are changed during a modify operation.

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the following article number to view the article in the Microsoft Knowledge Base:

265173 The Datacenter program and Windows 2000 Datacenter Server product

Modification Type:MinorLast Reviewed:10/7/2005
Keywords:kbHotfixServer kbQFE kbWin2kSP4fix kbbug kbfix kbQFE kbWin2000preSP4Fix KB314444
©2004 Microsoft Corporation. All rights reserved.