Skip navigation
Menu
Compute Engines

JSI Tip 0255 - Who changed the @!#* administrator's password?

To determine the UserName that changed the Administrator password, perform the following on the PDC:

1. Enable Success and Failure audits for File and Object Access using
   User Manager for Domains / Policies / Audit.

2. Using Regedt32, select the SAM key in HKEY_LOCAL_MACHINE and use Security / Permissions
    to set Full Control for the Administrators local group. Check Change Permissions on Existing Subkeys.

3. Navigate to HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4, select Security / Audit Permissions
   and add the Administrators local group to the list. Select this group and enable Success and Failure auditing
   for Set Value events on this and all subkeys.

When a change is made to the Administrator account, the event:

ID: 560
Source: Security
Type: Success Audit
Category: Object Access

will indicate the UserName.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023