MARS 5.3 - Locate who/what is applying password reset on users account

Unanswered Question
Aug 27th, 2008
User Badges:

A users account within the AD is repeatedly being set to change password at next logon. How can I search for the cause in MARS or is this type of event not logged?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mhellman Wed, 08/27/2008 - 05:13
User Badges:
  • Blue, 1500 points or more

I believe it will have event id 642 in Windows 2000 or 2003. Google that event id for more information.

andrew-mccabe Wed, 08/27/2008 - 06:06
User Badges:

Thank you.

Can you explain how I can search for this event in MARS?

mhellman Wed, 08/27/2008 - 07:09
User Badges:
  • Blue, 1500 points or more

For this example, username is BOB. open up notepad and type:


642Security


Where is the tab key. If you use a space, this won't work. Now ctrl-a to select all and ctrl-c to copy.


Now create a query.

query type = events ranked by time

time range = whenever you think this happened

keyword = AND BOB


submit.

Actions

This Discussion