|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/20/2010 11:14:17 AM
Posts: 2,
Visits: 0
|
|
| I get the following Events from Windows 2008 for Account Password Changes. The first one has the Target Account as Anonymous Logon but the Source account is the user. Does anyone know why this occurs? 2010-10-20 09:57:24.0 127.0.0.1 abc.123.com Windows Events (NIC) WINDOWS HOSTS 1402040100 User.Management.Password.Modification Security_4723_Microsoft-Windows-Security-Auditing 2010-10-20 09:56:41.0 Security Microsoft-Windows-Security-Auditing Success Audit 4723 An attempt was made to change an account s password. 0 0 0 abc.123.com NT AUTHORITY/ANONYMOUS LOGON ANONYMOUS LOGON NT AUTHORITY 0xf039a976 juser FOOBAR 0 0.0 None 0 - User Account Management 0 0 0 0.0 0 An attempt was made to change an account s password. Subject: Security ID: NT AUTHORITY/ANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0xf039a976 Target Account: Security ID: FOOBAR/juser Account Name: juser Account Domain: FOOBAR Additional Information: Privileges -
Here is what looks to be "normal" 2010-10-20 10:22:15.0 127.0.0.1 abc.123.com Windows Events (NIC) WINDOWS HOSTS 1402040100 User.Management.Password.Modification Security_4723_Microsoft-Windows-Security-Auditing 2010-10-20 10:21:15.0 Security Microsoft-Windows-Security-Auditing Success Audit 4723 An attempt was made to change an account s password. 0 0 0 abc.123.com FOOBAR/juser juser FOOBAR 0xf0647f0b juser FOOBAR 0 0.0 None 0 - User Account Management 0 0 0 0.0 0 An attempt was made to change an account s password. Subject: Security ID: FOOBAR/juser Account Name: juser Account Domain: FOOBAR Logon ID: 0xf0647f0b Target Account: Security ID: FOOBAR/juser Account Name: juser Account Domain: FOOBAR Additional Information: Privileges
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/20/2010 11:14:17 AM
Posts: 2,
Visits: 0
|
|
| Sorry, made a mistake and can't edit. The Subject Account in the first example is Anonymous Logon, but the Target Account is Juser which does not match. The second example the Subject and Target match.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| I wouldn't stress too much about it because you can't use the "change password" operation unless you successfully specify the old password. Look backwards in the log for other events such as 4624 (logon) and process start events with the same Logon ID. Might help you figure out what is going on.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/3/2011 1:04:29 PM
Posts: 2,
Visits: 0
|
|
| Dear Randy, I have stoeckp same logs. For one user, I have first Microsoft-Windows-Security-Auditing:4771 from Domain Controler A The next log for the same user, from DC B, is Microsoft-Windows-Security-Auditing:4738. This log shows a Target Account as Anonymous Logon and the Source account is the user. What does it mean ? Thank you
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Please post this as a new discussion under 4738 along with a sample of the event.
|
|
|
|