February 13th, 2004, 08:42 AM
Windows Event ID 643 help please
Okay, so I know that ID 643 is Password Policy Modified
but how does this happen...
What process causes this to happen because I know myself, I didn't modify anything.
I also have a logon ID as (0x0, 0x3E7)
February 13th, 2004, 12:03 PM
Google turned up some good responses. Basically, it's the system itself updating information for itself.
February 13th, 2004, 02:14 PM
Yeh, Believe me I searched in google and I didn't really find anything that explained why.
This PC is sitting on a network and the "password policy modified" should only come from one of the security guys that are modifying the password policy which when the event showed up.. nobody was doing anything. The actual software that picked up the event said an account or password has been locked out. I searched through all accounts and nothing is locked out.
With the username listed as those codes above and not an actual username, I do believe this is something happening internal.. but I need to understand what and why.
February 16th, 2004, 01:43 PM
I maybe wrong here but 0x3E7 doesn't look right to me. This would mean a RID of 999. The Administrator account has 500, guest has 1000 and the first user will get 1001.
Download sid2user/user2sid. That should help you convert SIDs to usernames and vice versa.
Edit: Forget the 0x3E7 comment above. It seems 'normal' behaviour.
Experience is something you don't get until just after you need it.