-
Title
Password change events not showing who information -
Description
Depending on where the password change events are made, the who information in the event may show NT AUTHORITY\SYSTEM instead of the actual user making the change.
-
Cause
This information is only available within the Security Event log. To report this information, Security Event log scavenging must be enabled.
-
Resolution
Please see Note 3 in the Changeauditor Event Reference Guide. This document can be downloaded through Supportlink under Product Resources.
To generate this event in Change Auditor, you must first:
Enable the event (Audit Events on Administration Tasks tab)
Set the following settings in the group policy linked to the monitored DC or member server:
Audit Account Logon Events = success/Fail
Audit Logon Events = Success/Fail
Audit Account Management = Success/Fail
In addition, to retrieve the Who information for this event, you must also enable Security Event log monitoring (Agent Configuration on the
Administration Tasks tab). Monitoring the Security Event log can lead to higher CPU utilization on your servers. Also, depending on the number of events per second that you receive in the Security Event log, there may be a chance of event loss. -
Defect ID
TF00176093 -
Additional Information
NOTE: This solution is valid for ChangeAuditor versions 4.9.x and older. Please review the following thread for more information:
http://compliancesuite.inside.quest.com/thread.jspa?threadID=28198