[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 60
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 4
LockoutBadCount = 50
ResetLockoutCount = 30
LockoutDuration = 30
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
1. Put an auditing entry on the “Policies” container. Enabling auditing for EVERYONE on the “CN=Policies,CN=System,DC=<your domain>” container causes auditing to track all writes, deletes, and permission modifications. The audit event shows the user modifying group policy in general. Obviously, this is useful for more than just password policy changes – “Hey, who set this policy to push a Domo-Kun wallpaper out to all the computers?”
![]()
2. Enable subcategory auditing for:
a. “ Authentication Policy Change ” (if using Windows Server 2008 R2 DC’s).
b. “ Other Account Management Events ” (if using Windows Server 2008 DC’s).
3. Enable subcategory auditing for “ Directory Service Changes ”.
Note: In Windows Server 2008 R2, granular subcategory auditing is available through GPMC.
![]()
In Windows Server 2008, you need to use the script provided in KB921469 .
1. An event 5136 will be written that shows the versionNumber attribute of the policy being raised:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/24/2009 3:04:17 PM
Event ID: 5136
Task Category: Directory Service Changes
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008r2-f-01.contoso.com
Description:
A directory service object was modified.
Subject:
Security ID: CONTOSOAdministrator
Account Name: Administrator
Account Domain: CONTOSO
Logon ID: 0x1e936
Directory Service:
Name: contoso.com
Type: Active Directory Domain Services
Object:
DN: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=CONTOSO,DC=COM
GUID: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
Class: groupPolicyContainer
Attribute:
LDAP Display Name: versionNumber
Syntax (OID): 2.5.5.9
Value: 121
Note: The event ID shows the name of the user that modified the policy – every policy edit raises the version number. Now we know to go look at the policy and that someone changed it.
2. Windows writes a follow-up event (event id 4739) for each type of change – lockout policy or password policy. For example:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/24/2009 3:01:28 PM
Event ID: 4739
Task Category: Authentication Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008r2-f-01.contoso.com
Description:
Domain Policy was changed.
Change Type: Lockout Policy modified
Subject:
Security ID: SYSTEM
Account Name: 2008R2-F-01$
Account Domain: CONTOSO
Logon ID: 0x3e7
Domain:
Domain Name: CONTOSO
Domain ID: CONTOSO
Changed Attributes:
Min. Password Age: -
Max. Password Age: -
Force Logoff: -
Lockout Threshold: 500
Lockout Observation Window:
Lockout Duration:
Password Properties:
Min. Password Length:
Password History Length:
Machine Account Quota:
Mixed Domain Mode:
Domain Behavior Version:
OEM Information: -
====
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/24/2009 3:04:23 PM
Event ID: 4739
Task Category: Authentication Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008r2-f-01.contoso.com
Description:
Domain Policy was changed.
Change Type: Password Policy modified
Subject:
Security ID: SYSTEM
Account Name: 2008R2-F-01$
Account Domain: CONTOSO
Logon ID: 0x3e7
Domain:
Domain Name: CONTOSO
Domain ID: CONTOSO
Changed Attributes:
Min. Password Age: -
Max. Password Age: -
Force Logoff: -
Lockout Threshold: -
Lockout Observation Window: -
Lockout Duration: -
Password Properties: -
Min. Password Length: 5
Password History Length: -
Machine Account Quota: -
Mixed Domain Mode: -
Domain Behavior Version: -
OEM Information: -
Notice the account name is the DC itself. This event, while useful, needs to be correlated with the 5136 event to see what changed. And even then, these events can sometimes be difficult to understand – what is a “password property” after all? (it’s for complexity being turned on or off). You should probably use these events as a notification to go examine the actual policies in GPMC .
1. Put an auditing entry on the “Password Settings Container” container. Enabling auditing for EVERYONE on the “CN=Password Settings Container,CN=System,DC=<your domain>” object causes Windows to track all users who write, delete, and modify permissions on any FGPPs.
![]()
2. Enable subcategory auditing for “ Directory Service Changes ” (see previous section for steps).
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/24/2009 4:20:54 PM
Event ID: 5136
Task Category: Directory Service Changes
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008r2-f-01.contoso.com
Description:
A directory service object was modified.
Subject:
Security ID: CONTOSORobGreene
Account Name: RobGreene
Account Domain: CONTOSO
Logon ID: 0x1e936
Directory Service:
Name: contoso.com
Type: Active Directory Domain Services
Object:
DN: CN=VIP DomainUsersPSO,CN=Password Settings Container,CN=System,DC=contoso,DC=com
GUID: CN=VIP DomainUsersPSO,CN=Password Settings Container,CN=System,DC=contoso,DC=com
Class: msDS-PasswordSettings
Attribute:
LDAP Display Name: msDS-PasswordComplexityEnabled
Syntax (OID): 2.5.5.8
Value: TRUE
Operation:
Type: Value Deleted
Correlation ID: {6afa8930-85cd-44d9-828b-9cc3c1b5a8b9}
Application Correlation ID: -
===
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/24/2009 4:20:54 PM
Event ID: 5136
Task Category: Directory Service Changes
Level: Information
Keywords: Audit Success
User: N/A
Computer: 2008r2-f-01.contoso.com
Description:
A directory service object was modified.
Subject:
Security ID: CONTOSORobGreene
Account Name: RobGreene
Account Domain: CONTOSO
Logon ID: 0x1e936
Directory Service:
Name: contoso.com
Type: Active Directory Domain Services
Object:
DN: CN=VIP DomainUsersPSO,CN=Password Settings Container,CN=System,DC=contoso,DC=com
GUID: CN=VIP DomainUsersPSO,CN=Password Settings Container,CN=System,DC=contoso,DC=com
Class: msDS-PasswordSettings
Attribute:
LDAP Display Name: msDS-PasswordComplexityEnabled
Syntax (OID): 2.5.5.8
Value: FALSE
Operation:
Type: Value Added
Correlation ID: {6afa8930-85cd-44d9-828b-9cc3c1b5a8b9}
Application Correlation ID: -
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.