Posted: 2/14/2012 2:08:37 PM EDT
|
I have a case where my client had to repeatedly change her password to prevent people from accessing her computer at work. Presumably, the computer runs Windows XP, and belongs to a typical corporate network.
Are password changes logged anywhere? If so, where, and for how long? What about attempts to access a computer with an improper password? Thanks! |
|
You may be able to look in the Event Log at the Audit Logs (I don't remember if XP calls them Security Audit, or just Audit, or just Security logs.) That will for sure tell you attempts to login that failed and attempts that succeded. I do not recall where password changes are stored (or if they are.)
ETA: Right click "My Computer" ––> Left Click "Manage" ––> Left Click "Event Viewer" ––> Left Click "Security" The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log. Looks like you have to have had logon auditing enabled though. |
|
On a Windows-based network (assuming an Active Directory domain, not a workgroup) - password changes (the event, not the password itself) are stored as an attiibute on each account within AD. Don't quote me, but I believe the attribute name is either PasswordLastSet or PwdLastSet. If you have multiple Domain Controllers, you would need to verify that the attribute is replicated across DCs, otherwise you would have to check each DC to see when it was last set. It will stay there until the next time it is set.
As far as logging, if you haven't run SecPol.msc and changed default auditing to include failed login attempts you won't see anything. If logging is enabled, you will see any failed attempts logged in the Security Log on the server (run EventVwr.msc and look at Security). ETA: The above is for failed attempts using her network account. If she is concerned about a local account on her workstation it would be as posted above. |
|
Quoted:
On a Windows-based network (assuming an Active Directory domain, not a workgroup) - password changes (the event, not the password itself) are stored as an attiibute on each account within AD. Don't quote me, but I believe the attribute name is either PasswordLastSet or PwdLastSet. If you have multiple Domain Controllers, you would need to verify that the attribute is replicated across DCs, otherwise you would have to check each DC to see when it was last set. It will stay there until the next time it is set. As far as logging, if you haven't run SecPol.msc and changed default auditing to include failed login attempts you won't see anything. If logging is enabled, you will see any failed attempts logged in the Security Log on the server (run EventVwr.msc and look at Security). ETA: The above is for failed attempts using her network account. If she is concerned about a local account on her workstation it would be as posted above. Yup, pwdLastSet is the field you want. What I did when scripting a LDAP password reset program was get the current value of that field, reset the password, & then verify the value has changed. I was also going to write up a countdown script that would alert users when they hit the 30day mark on their 45 day password reset notification gpo setting. |
|
if the admins have the password change event audited and if the security log is still around, either there or in the dc backups, and if she was referring to a domain account or a local workstation account.
Edit: a "typical corporate network" may or may not have that type of auditing enabled. I think the new versions of windows server enable it by default though. that maybe only during a brand new install and not an upgrade... not sure. you'll need to dig edit edit. "access her computer at work" and "access 'her' (assigned work) computer as via her account" are not the same. the smaller the company, the smaller less dedicated IT staff who can properly lock out users. Plus many places don't want users restricted. Windows has a large number of security features in which 99% of them are not enabled in small environments. (or home use for that matter) >> Are password changes logged anywhere? If so, where, and for how long? What about attempts to access a computer with an improper password? yes if logging is enabled. typically domain controller's security event log for as long as possible till the log's free space is used of and it overwrites oldest events first. same as password changes. |
|
Quoted:
I have a case where my client had to repeatedly change her password to prevent people from accessing her computer at work. Presumably, the computer runs Windows XP, and belongs to a typical corporate network. Are password changes logged anywhere? If so, where, and for how long? What about attempts to access a computer with an improper password? Thanks! Simple answer, tell her to stop writing down her new password on a stickie and putting it on her monitor or keyboard. |