Event 643 in Security log every 5 minutes

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Here's what happened.
In the AD, there are 2 domain controllers, both are running W2K Server w/SP4
In the event log of the First DC(which holds all the FSMO roles), event id
643 appeared
every 5 minutes for the whole day. It act as a File server as well as a
print server. It is located in a closed network and no one using
the network should have a user right more than an ordinary domain user.
The holder of the adminitrator account(The companies' Vice President) have
no
physical access to the network. No tasks were scheduled to run every 5
minutes.
And the strange thing is, the events does not appear in the other domain
controller.
Can anyone suggest a possiblity of what's happening??
I searched through TechNet and could find no clue of this...
Thank you.

Below is an extract of the event log:
7/8/2004 12:01:09 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
(0x0,0x3E7) -
7/8/2004 12:06:26 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
(0x0,0x3E7) -
7/8/2004 12:11:34 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
(0x0,0x3E7) -
7/8/2004 12:16:41 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
(0x0,0x3E7) -
7/8/2004 12:21:48 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
(0x0,0x3E7) -
7/8/2004 12:26:55 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
(0x0,0x3E7) -
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

By default, Group/security policy is refreshed every five minutes on a domain
controller. Possibly that computer is having a problem with a change in password
policy being applied. I would first run netdiag on it and then dcdiag on it to see if
it reports any failed tests/errors/fatal warnings that would indicate a problem with
replication, sysvol, dns, etc. In addition run gpotool to see if it reports any
errors in policy synch between the domain controllers. Those tools are on the
install disk in the support tools folder where you need to run setup to install the
set. --- Steve


"Steven T" <guess_what@hkem.com> wrote in message
news:%238OWAkiZEHA.1764@TK2MSFTNGP10.phx.gbl...
> Here's what happened.
> In the AD, there are 2 domain controllers, both are running W2K Server w/SP4
> In the event log of the First DC(which holds all the FSMO roles), event id
> 643 appeared
> every 5 minutes for the whole day. It act as a File server as well as a
> print server. It is located in a closed network and no one using
> the network should have a user right more than an ordinary domain user.
> The holder of the adminitrator account(The companies' Vice President) have
> no
> physical access to the network. No tasks were scheduled to run every 5
> minutes.
> And the strange thing is, the events does not appear in the other domain
> controller.
> Can anyone suggest a possiblity of what's happening??
> I searched through TechNet and could find no clue of this...
> Thank you.
>
> Below is an extract of the event log:
> 7/8/2004 12:01:09 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:06:26 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:11:34 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:16:41 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:21:48 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
> 7/8/2004 12:26:55 AM 8 7 643 Security NT AUTHORITY\SYSTEM DC1 Password
> Policy DOMAIN %{S-1-5-21-602162358-1644491937-682003330} DC1$ DOMAIN
> (0x0,0x3E7) -
>
>