Thursday, 6 March 2014

Event ID 4742 - A computer account was changed - Password Last Set

Description:

   In this article, I am going to explain about the security Event ID 4742 (A computer account was changed) with Password Last Set change.

 Event ID 4742 is controlled by Account Management category of Audit Policy through GPO Default Domain Controller Policy (Computer Configuration\Polices\Windows Settings\Security Settings\Local Polices\Audit Policy\Audit account management).

In Windows 2008 R2 and later versions, you can also control this event by Default Domain Controller Policy's  Computer Account Management sub category (Computer Configuration\Polices\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Computer Account Management).

In this article, I am going write only about Computer Account's Password Storage and Password Last Set (PwdLastSet attribute) changes.

Summary:


Computer Account Password Storage Information

   Many of us don't know about the facts of Computer Account's password storage. Computers store their domain password in their “secrets” storage portion of the registry. This special storage is encrypted and stores the current and previous passwords along with the time stamps of when they were set.

Computers maintain both passwords to assist with authentication. When a computer attempts to logon to the domain, it will use the new password, if that password does not work it will try the previous password. In this way, if a computer changes its password (excluding domain join) at DC1 and then attempts to authenticate at DC2 prior to replication of that new password, the computer should still be able to logon with the old password.

Computer Account Password Change

The Computer Accounts will change their own password in the following scenarios

  • When a computer joins a Active Directory domain, it generates a new password and writes that value into the computer’s “secrets” storage as the machine’s new password in the domain.
  • By default every 30 days or other specified time frame (reg key =HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters reg value = MaximumPasswordAge) a computer will attempt to change its domain password.
  • The computer changes their own password when create valid secure channel to a DC, store the new password locally (in the registry), and then sends the password update to a Domain Controller. If the DC refuses the password change, the computer’s local password change is reverted.
  • When an admin forces a password change by this command: nltest /sc_change_pwd:domain a computer will attempt to change its domain password.
  • When an admin Reset a Computer account from ADUC console the computer will attempt to change its domain password and it leads to change the value of PwdLastSet attribute of Computer Account.
Event ID 4742 - A computer account was changed - Password Last Set ( PwdLastSet Attribute)



Event ID 4742 Info - Password Last Set (PwdLastSet Attribute)

   You can see the following Password Last Set (PwdLastSet) change event details in Security log for the Event ID 4742 in the following scenarios.
   i)  When we join the Computer to a Active Directory domain
   ii) When an admin forces computer account reset either by ADUC console or by the command nltest /sc_change_pwd:domain

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/6/2014 3:58:28 PM
Event ID:      4742
Task Category: Computer Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      devDC.Work2008.local
Description:
A computer account was changed.

Subject:
 Security ID:  WORK2008\Administrator
 Account Name:  Administrator
 Account Domain:  WORK2008
 Logon ID:  0x20333

Computer Account That Was Changed:
 Security ID:  WORK2008\ADMIN-PC$
 Account Name:  ADMIN-PC$
 Account Domain:  WORK2008

Changed Attributes:
 SAM Account Name: -
 Display Name:  -
 User Principal Name: -
 Home Directory:  -
 Home Drive:  -
 Script Path:  -
 Profile Path:  -
 User Workstations: -
 Password Last Set: 3/6/2014 3:58:28 PM
 Account Expires:  -
 Primary Group ID: -
 AllowedToDelegateTo: -
 Old UAC Value:  -
 New UAC Value:  -
 User Account Control: -
 User Parameters: -
 SID History:  -
 Logon Hours:  -
 DNS Host Name:  -
 Service Principal Names: -

Additional Information:
 Privileges:  -

Event ID 4742 Info - Password Last Set (PwdLastSet Attribute) by ANONYMOUS LOGON

   You can see the following Password Last Set (PwdLastSet) change by ANONYMOUS LOGON event details in Security log for the Event ID 4742 in the following scenarios
     i).  When a computer changes it's own password while create valid secure channel to a Domain Controller
     ii). When Computer Accounts resets own password for every 30 days or other specified time frame (reg key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters reg value = MaximumPasswordAge)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/6/2014 3:58:28 PM
Event ID:      4742
Task Category: Computer Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      devDC.Work2008.local
Description:
A computer account was changed.

Subject:
 Security ID:  NT AUTHORITY\ANONYMOUS LOGON
 Account Name:  ANONYMOUS LOGON
 Account Domain:  NT AUTHORITY
 Logon ID:  0x20333

Computer Account That Was Changed:
 Security ID:  WORK2008\ADMIN-PC$
 Account Name:  ADMIN-PC$
 Account Domain:  WORK2008

Changed Attributes:
 SAM Account Name: -
 Display Name:  -
 User Principal Name: -
 Home Directory:  -
 Home Drive:  -
 Script Path:  -
 Profile Path:  -
 User Workstations: -
 Password Last Set: 2/2/2014 3:45:29 PM
 Account Expires:  -
 Primary Group ID: -
 AllowedToDelegateTo: -
 Old UAC Value:  -
 New UAC Value:  -
 User Account Control: -
 User Parameters: -
 SID History:  -
 Logon Hours:  -
 DNS Host Name:  -
 Service Principal Names: -

Additional Information:
 Privileges:  -

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

2 comments:

  1. That's a great explanation, thanks, it quickly gave me a clear understanding of what it meant when the password said it had changed.

    ReplyDelete
  2. Hi, thanks for posting! Sorry, but I don´t undestrand "When a computer changes it's own password" scenarios. I got many ANONYMOUS LOGON attempts to change many AD accounts and don´t know what´s happening... Please, can you clarify this scenario?

    ReplyDelete