Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Management->EventID 646 - Computer Account Changed [Win 2003]
EventID 646 - Computer Account Changed [Win 2003]
Indicates that a computer account ("target account") was successfully changed by another user ("caller user").

Note:
 
This event occurs only on domain controllers.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2000/XP Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Management
        Event ID:       646
        Date:           10/26/2009
        Time:           07:31:56
        User:           RESEARCH\ALebovsky
        Computer:       DC1
        Description:
        Computer Account Changed:
        -
        Target Account Name:	Editor$
        Target Domain:	RESEARCH
        Target Account ID:	%{S-1-5-21-184992632-1607737289-1287950321-1180}
        Caller User Name:	Alebovsky
        Caller Domain:	RESEARCH
        Caller Logon ID:	(0x0,0x59DF36)
        Privileges:	-
        Changed Attributes:
        Sam Account Name:	-
        Display Name:	-
        User Principal Name:	-
        Home Directory:	-
        Home Drive:	-
        Script Path:	-
        Profile Path:	-
        User Workstations:	-
        Password Last Set:	10/26/2009 7:31:56 AM
        Account Expires:	-
        Primary Group ID:	-
        AllowedToDelegateTo:	-
        Old UAC Value:	-
        New UAC Value:	-
        User Account Control:	-
        User Parameters:	-
        Sid History:	-
        Logon Hours:	-
        DNS Host Name:	-
        Service Principal Names:	-
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Management
Source Security
EventId 646
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Caller User Name Account initiating action InsertionString5 Alebovsky
Caller Domain Domain of the account initiating action InsertionString6 RESEARCH
Caller Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString7 (0x0,0x59DF36)
Target Account Name Name of the account on which the action is performed InsertionString2 Editor$
Target Domain Domain name of the Target Account InsertionString3 RESEARCH
Target Account ID Target Account Name in the following format: Target Domain\Target Account Name InsertionString4 %{S-1-5-21-184992632-1607737289-1287950321-1180}
Privileges Contains the list of privileges. The purpose of this field is unknown. In most cases it is empty. InsertionString8 -
Sam Account Name The logon name used to support clients and servers running older versions of the operating system, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. InsertionString9 -
Display Name This is usually the combination of the users first name, middle initial, and last name. InsertionString10 SCOM-TERM2$
User Principal Name User name in an e-mail address format. The username is followed by the "@" followed by the name of the domain with which the user is associated. InsertionString11 -
Home Directory The home directory for the account. If Home Drive is set and specifies a drive letter, Home Directory must be a UNC path. Otherwise, Home Directory is a fully qualified local path including the drive letter (e.g. "c:\directory\folder"). InsertionString12 -
Home Drive Specifies the drive letter to which to map the UNC path specified by Home Directory. InsertionString13 -
Script Path The path for the user's logon script. InsertionString14 -
Profile Path The path to the user's profile. InsertionString15 -
User Workstations Contains the NetBIOS or DNS names of the computers from which the user can log on. InsertionString16 -
Password Last Set The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). InsertionString17 2/2/2009 5:10:09 PM
Account Expires The date when the account expires. This value represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). InsertionString18 -
Primary Group ID Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group. InsertionString19 -
AllowedToDelegateTo Contains the list of Service Principal Names (SPN) to which this user (normally service or computer account) can forward credentials on behalf of the client. InsertionString20 -
Old UAC Value Bitwise representation of User Account Control Options check list (old value) InsertionString21 0x85
New UAC Value Bitwise representation of User Account Control Options check list (new value) InsertionString22 0x80
User Account Control Descriptions of set flags that control the behavior of the user account. InsertionString23 Account Enabled 'Password Not Required' - Disabled
User Parameters Used to store user data specific to the individual program. InsertionString24 -
Sid History Contains previous SIDs used for the object if the object was moved from another domain. InsertionString25 -
Logon Hours The hours that the user is allowed to logon to the domain. InsertionString26 -
DNS Host Name Name of computer as registered in DNS. InsertionString27 -
Service Principal Names List of principal names used for mutual authentication with an instance of a service on this machine. InsertionString28 -
Comments
You must be logged in to comment