Windows Security Log Event ID 629
| Operating Systems |
Windows 2003 and XP
|
|
Category | Account Management |
|
Type
|
Success
|
Corresponding events
in Windows
2008
and Vista |
4725
|
629: User Account Disabled
On this page
Windows logs this event for both user accounts and computer accounts. Computer account names are recognizable by the $ at the end of the name. This event will be accompanied by an event 642 (if a user account) or 646 (if a computer account).
Despite MS documentation, this event does not get logged by W2k but W3 does log this event correctly. However W2k does log event ID 642 and identifies the type of change. See example below: W3 also logs 642 along with this event but the format of 642 is different compared to W2k. See 642 for W3. Note Windows 2000 does not log event ID 629 explicitly. Results are logged as a part of event ID 642 in the description of the message. Windows Server 2003 DOES logs this event.
Event ID 642:
User Account Changed:
Account Disabled.
Target Account Name: Bill
Target Domain: MS0
Target Account ID: S-1-5-21-1234561642-8123456618-725345543-1008
Caller User Name: Administrator
Caller Domain: ACME
Caller Logon ID: (0x0,0xD44E)
Privileges: -
Free Security Log Resources by Randy
- Target Account Name: %1
- Target Domain: %2
- Target Account ID: %3
- Caller User Name: %4
- Caller Domain: %5
- Caller Logon ID: %6
Setup PowerShell Audit Log Forwarding in 4 Minutes