Description
In this article, I am going to explain about the security Event ID 4742 (A computer account was changed) with Password Last Set change.
Event ID 4742 is controlled by Account Management category of Audit Policy through GPO Default Domain Controller Policy (Computer ConfigurationPolicesWindows SettingsSecurity SettingsLocal PolicesAudit PolicyAudit account management).
In Windows 2008 R2 and later versions, you can also control this event by Default Domain Controller Policy‘s Computer Account Management sub category (Computer ConfigurationPolicesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesAccount ManagementAudit Computer Account Management).
In this article, I am going write only about Computer Account‘s Password Storage and Password Last Set (PwdLastSet attribute) changes.
Summary
- Computer Account Password Storage Information
- Computer Account Password Change
- Event ID 4742 Info – Password Last Set
- Event ID 4742 Info – Password Last Set by ANONYMOUS LOGON
Computer Account Password Storage Information
Many of us don’t know about the facts of Computer Account‘s password storage. Computers store their domain password in their “secrets” storage portion of the registry. This special storage is encrypted and stores the current and previous passwords along with the time stamps of when they were set.
Computers maintain both passwords to assist with authentication. When a computer attempts to logon to the domain, it will use the new password, if that password does not work it will try the previous password. In this way, if a computer changes its password (excluding domain join) at DC1 and then attempts to authenticate at DC2 prior to replication of that new password, the computer should still be able to logon with the old password.
Computer Account Password Change
The Computer Accounts will change their own password in the following scenarios
- When a computer joins a Active Directory domain, it generates a new password and writes that value into the computer’s “secrets” storage as the machine’s new password in the domain.
- By default every 30 days or other specified time frame (reg key =HKLMSYSTEMCurrentControlSetServicesNetLogonParameters reg value = MaximumPasswordAge) a computer will attempt to change its domain password.
- The computer changes their own password when create valid secure channel to a DC, store the new password locally (in the registry), and then sends the password update to a Domain Controller. If the DC refuses the password change, the computer’s local password change is reverted.
- When an admin forces a password change by this command: nltest /sc_change_pwd:domain a computer will attempt to change its domain password.
- When an admin Reset a Computer account from ADUC console the computer will attempt to change its domain password and it leads to change the value of PwdLastSet attribute of Computer Account.
Event ID 4742 Info – Password Last Set (PwdLastSet Attribute)
You can see the following Password Last Set (PwdLastSet) change event details in Security log for the Event ID 4742 in the following scenarios.
i) When we join the Computer to a Active Directory domain
ii) When an admin forces computer account reset either by ADUC console or by the command nltest /sc_change_pwd:domain
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 3/6/2014 3:58:28 PM Event ID: 4742 Task Category: Computer Account Management Level: Information Keywords: Audit Success User: N/A Computer: devDC.Work2008.local Description: A computer account was changed. Subject: Security ID: WORK2008Administrator Account Name: Administrator Account Domain: WORK2008 Logon ID: 0x20333 Computer Account That Was Changed: Security ID: WORK2008ADMIN-PC$ Account Name: ADMIN-PC$ Account Domain: WORK2008 Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 3/6/2014 3:58:28 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: -
Event ID 4742 Info – Password Last Set (PwdLastSet Attribute) by ANONYMOUS LOGON
You can see the following Password Last Set (PwdLastSet) change by ANONYMOUS LOGON event details in Security log for the Event ID 4742 in the following scenarios
i). When a computer changes it’s own password while create valid secure channel to a Domain Controller
ii). When Computer Accounts resets own password for every 30 days or other specified time frame (reg key = HKLMSYSTEMCurrentControlSetServicesNetLogonParameters reg value = MaximumPasswordAge)
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 3/6/2014 3:58:28 PM Event ID: 4742 Task Category: Computer Account Management Level: Information Keywords: Audit Success User: N/A Computer: devDC.Work2008.local Description: A computer account was changed. Subject: Security ID: NT AUTHORITYANONYMOUS LOGON Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x20333 Computer Account That Was Changed: Security ID: WORK2008ADMIN-PC$ Account Name: ADMIN-PC$ Account Domain: WORK2008 Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 2/2/2014 3:45:29 PM Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account Control: - User Parameters: - SID History: - Logon Hours: - DNS Host Name: - Service Principal Names: - Additional Information: Privileges: -
Thanks,
Morgan
Software Developer
That's a great explanation, thanks, it quickly gave me a clear understanding of what it meant when the password said it had changed.
Hi, thanks for posting! Sorry, but I don´t undestrand "When a computer changes it's own password" scenarios. I got many ANONYMOUS LOGON attempts to change many AD accounts and don´t know what´s happening… Please, can you clarify this scenario?