08-27-2008 03:35 AM - edited 03-10-2019 04:16 AM
A users account within the AD is repeatedly being set to change password at next logon. How can I search for the cause in MARS or is this type of event not logged?
08-27-2008 05:13 AM
I believe it will have event id 642 in Windows 2000 or 2003. Google that event id for more information.
08-27-2008 06:06 AM
Thank you.
Can you explain how I can search for this event in MARS?
08-27-2008 07:09 AM
For this example, username is BOB. open up notepad and type:
642
Where
Now create a query.
query type = events ranked by time
time range = whenever you think this happened
keyword =
submit.
08-27-2008 07:11 AM
Thank you very much. Appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide