MARS 5.3 - Locate who/what is applying password reset on users account

Unanswered Question
Aug 27th, 2008

A users account within the AD is repeatedly being set to change password at next logon. How can I search for the cause in MARS or is this type of event not logged?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Wed, 08/27/2008 - 05:13

I believe it will have event id 642 in Windows 2000 or 2003. Google that event id for more information.

mhellman Wed, 08/27/2008 - 07:09

For this example, username is BOB. open up notepad and type:

642Security

Where is the tab key. If you use a space, this won't work. Now ctrl-a to select all and ctrl-c to copy.

Now create a query.

query type = events ranked by time

time range = whenever you think this happened

keyword = AND BOB

submit.

Actions

This Discussion