Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
679
Views
5
Helpful
4
Replies

MARS 5.3 - Locate who/what is applying password reset on users account

andrew-mccabe
Level 1
Level 1

‎08-27-2008 03:35 AM - edited ‎03-10-2019 04:16 AM

A users account within the AD is repeatedly being set to change password at next logon. How can I search for the cause in MARS or is this type of event not logged?

Labels:
0 Helpful
4 Replies 4

mhellman
Level 7
Level 7

‎08-27-2008 05:13 AM

I believe it will have event id 642 in Windows 2000 or 2003. Google that event id for more information.

0 Helpful

andrew-mccabe
Level 1
Level 1
In response to mhellman

‎08-27-2008 06:06 AM

Thank you.

Can you explain how I can search for this event in MARS?

0 Helpful

mhellman
Level 7
Level 7
In response to andrew-mccabe

‎08-27-2008 07:09 AM

For this example, username is BOB. open up notepad and type:

642Security

Where is the tab key. If you use a space, this won't work. Now ctrl-a to select all and ctrl-c to copy.

Now create a query.

query type = events ranked by time

time range = whenever you think this happened

keyword = AND BOB

submit.

andrew-mccabe
Level 1
Level 1
In response to mhellman

‎08-27-2008 07:11 AM

Thank you very much. Appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card