Home | Contact | Rants | Software Tips | GTMO | Web Design | Jokes | Windows Tweaks | Quotes | About Me
 
 
     
 
 
     
  Microsoft Windows NT Server
Advanced Tips
Brown Line Microsoft Windows NT Tips
  
  Who changed the @!#* administrator's password?  
  To determine the UserName that changed the Administrator password, perform the following on the PDC:
  1. Enable Success and Failure audits for File and Object Access using User Manager for Domains / Policies / Audit
  2. Using Regedt32, select the SAM key in HKEY_LOCAL_MACHINE and use Security / Permissions to set Full Control for the Administrators local group. Check Change Permissions on Existing Subkeys
  3. Navigate to HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4, select Security / Audit Permissions and add the Administrators local group to the list. Select this group and enable Success and Failure auditing for Set Value events on this and all subkeys.

When a change is made to the Administrator account, the event:

ID: 560
Source: Security
Type: Success Audit
Category: Object Access will indicate the UserName.

  
     
     
 
windows, tips, tweaks, software, microsoft office, access, excel, word, powerpoint, frontpage Report Broken Links windows, tips, tweaks, software, microsoft office, access, excel, word, powerpoint, frontpage
 
     
TUATM: Microsoft Office Software Tips
Lunatic Fringe Enterprises
Guantanamo Bay, Cuba
Revised: Saturday, April 19, 2008 2:40 PM
 
Home | Contact | Rants | Software Tips | GTMO | Web Design | Jokes | Windows Tweaks | Quotes | About Me
windows NT server, optimization, tips, performance, tweaks, registry, hacks, windows NT server, optimization, tips, performance, tweaks, registry, hacks