Event Details
User Activity->Policy Changes->Windows 2000-2003->EventID 618 - Encrypted Data Recovery Policy Changed
EventID 618 - Encrypted Data Recovery Policy Changed
 Sample: 
Event Type:		Success Audit
Event Source:	Security
Event Category:	Policy Change 
Event ID:		618
Date:		4/17/2009
Time:		9:15:04 AM
User:		QC\Administrator
Computer:		KERMIT
Description:
Encrypted Data Recovery Policy Changed:
Changed By:
 	  User Name:	administrator
 	  Domain Name:	QC
 	  Logon ID:	(0x0,0x514A6)
 Changes made:
 ('--' means no changes, otherwise each change is shown as: : ( )) PolEfDat: (none);

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category Policy Change
Source Security
EventId 618
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 12/14/2009 6:59:09 AM
Who Account or user name under which the activity occured. User Name
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Policy Change" Policy Change
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain Domain Name
WhereDomain -
Policy Name The name of the affected policy. "Encrypted Data Recovery Policy" Encrypted Data Recovery Policy
Comments
You must be logged in to comment