Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 643 - Domain Policy Changed [Win 2003]
EventID 643 - Domain Policy Changed [Win 2003]
Indicates that a domain policy was successfully changed by "caller user".

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2000 / XP
Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Management
        Event ID:       643
        Date:           10/26/2009
        Time:           07:31:45
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Domain Policy Changed: Password Policy modified
        Domain Name:		RESEARCH
        Domain ID:	%{S-1-5-21-184992632-1607737289-1287950321}
        Caller User Name:	Alebovsky
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x59DF36)
        Privileges:	-
        Changed Attributes:
        Min. Password Age:	0
        Max. Password Age:	-
        Force Logoff:	-
        Lockout Threshold:	-
        Lockout Observation Window:	-
        Lockout Duration:	-
        Password Properties:	-
        Min. Password Length:	-
        Password History Length:	-
        Machine Account Quota:	-

        Mixed Domain Mode:	-
        Domain Behavior Version:	-
        OEM Information:	-
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 643
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Caller User Name Account initiating action InsertionString4 Alebovsky
Caller Domain Domain of the account initiating action InsertionString5 RESEARCH
Caller Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString6 (0x0,0x59DF36)
Domain Policy Changed The name of the affected policy InsertionString1
Domain Name The name of the domain whose policy has been changed InsertionString2 RESEARCH
Domain ID The SID of the domain whose policy has been changed. In the event message it is normally resolved to the Domain Name. InsertionString3 %{S-1-5-21-184992632-1607737289-1287950321}
Privileges Contains the list of privileges. The purpose of this field is unknown. In most cases it is empty. InsertionString7 -
Min. Password Age The minimum amount of time that a password is valid. InsertionString8 -
Max. Password Age The maximum amount of time a password is valid. This value is stored as a large integer that represents the number of 100 nanosecond intervals from the time the password was set before the password expires. InsertionString9 -
Force Logoff Used in computing the kick off time. Logoff time minus Force Log off equals kick off time. InsertionString10 -
Lockout Threshold The number of invalid logon attempts that are permitted before the account is locked out. InsertionString11 -
Lockout Observation Window The window of time in which the system increments the count of invalig logon attempts allowed in "Lockout Threshold". InsertionString12 -
Lockout Duration The amount of time that an account is locked due to the "Lockout Threshold" being exceeded. InsertionString13 -
Password Properties A bit field to indicate password complexity / storage restrictions. InsertionString14 16
Min. Password Length The minimum number of characters that a password must contain. InsertionString15 -
Password History Length The number of old passwords to save. InsertionString16 1
Machine Account Quota The number of computer accounts that a user is allowed to create in a domain. InsertionString17 -
Mixed Domain Mode Indicates that the domain is in native mode or mixed mode. InsertionString18 -
Domain Behavior Version This attribute is used to track the domain or forest behavior version. It is a monotonically increasing number that is used to enable certain Active Directory features. InsertionString19 -
OEM Information For holding OEM information. No longer used. Here for backward compatibility. InsertionString20 -
Comments
You must be logged in to comment