cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
670
Views
5
Helpful
4
Replies

MARS 5.3 - Locate who/what is applying password reset on users account

andrew-mccabe
Level 1
Level 1

A users account within the AD is repeatedly being set to change password at next logon. How can I search for the cause in MARS or is this type of event not logged?

4 Replies 4

mhellman
Level 7
Level 7

I believe it will have event id 642 in Windows 2000 or 2003. Google that event id for more information.

Thank you.

Can you explain how I can search for this event in MARS?

For this example, username is BOB. open up notepad and type:

642Security

Where is the tab key. If you use a space, this won't work. Now ctrl-a to select all and ctrl-c to copy.

Now create a query.

query type = events ranked by time

time range = whenever you think this happened

keyword = AND BOB

submit.

Thank you very much. Appreciated.

Review Cisco Networking for a $25 gift card