Event ID 643

Archived from groups: microsoft.public.win2000.security (More info?)

I'm looking for information regarding Security Event Log events beyond what
is available in the event log itself. Currently, I'm most interested in what
a 643 event is on a standalone Windows 2000 server. We see this event daily
on several machines, but not regular intervals. One interesting thing is
that all machines have IIS installed.

The event says it is a password policy change, but there are no details as
to what the actual change was. When I go in and change the password policy
on the local machine, the event gets generated but there is no more
information than the events that just "pop up" every once in a while. I
would appreciate any information either regarding this specific event ID or
any (very detailed) reference explaining security event logs. I found a KB
article referencing security events, but it just gives an example of what you
would see in the event log anyway.
--
-Steve
9 answers Last reply
More about event
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve,

    I would like to confirm my understanding of this issue:
    You have noticed that Event ID 643 is logged in the application log in
    win2k server. However, what do you mean by " on a standalone Windows 2000
    server"? Is this server in the domain or a workgroup?

    Technically speaking, Event ID 643 has indicated that Domain Policy
    Changed. As you have found, this policy will be generated when you change
    the domain policy or local policy as described in the following link:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;301677

    Based on my research, Event ID 643 could be trigger by the following causes:

    1. By design behavior.
    ============================
    This behavior is by design and is not indicating a problem with security or
    auditing. This audit event can be safely ignored.

    "Password Policy Change" (event 643) does not distinguish between policy
    refresh and actual password policy change. Thus, each time that a client
    or server refreshes their local security policy (5 minutes for Active
    Directory domain clients or 16 hours for NT 4.0 domain clients), the audit
    event 643 occurs.

    In the event that there is no associated Event 1704 in the application
    event log for a 643 event, then this may very well be because of a password
    policy change.

    2. Refreshes its local security policy
    ========================================
    This event is logged each time that the server refreshes its local security
    policy.

    This is normal behavior when a Windows 2000 system refreshes the policy,
    the specific audit mechanism for password policies doesn't differentiate
    between a policy refresh and a policy update. Thus, each refresh registers
    a 643 event.

    3. DC has reached the an enforce interval
    =========================================

    The Domain Controller has reached an enforce interval for Security Policy
    as
    defined by the following Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
    A}

    Value: MaxNoGPOListChangesInterval
    Data: Minutes of delay, entered in hexadecimal

    By default, this value is set to 0x3c0, (960 minutes or 16 hours)

    For more details how to resolve this issue, please refer to the following
    article:

    277543 How to delay security policies from being applied
    http://support.microsoft.com/?id=277543


    In the conclusion, I believe you don't need to worry about this event log,
    probably, you have encounter a by design behavior.

    In addition, if you want to track the domain policy change, there is no
    built-in tool to achieve this goal. Based on my further research, there is
    a third-party tool which can compare gpttmpl.inf file. For example, if you
    save the current gpttmpl.inf file which is located in sysvol folder (you
    can search gpttmpl.inf in the sysvol folder), when the domain policy
    changes, compare the current version of gpttmpl.inf with the original one
    by using WinDiff function or manually compare to find out the difference.

    Another method is to compare the settings using GPMC. A third-party tool
    called TripWire provides change control down to the contents of a file.
    (http://www.tripwire.com).

    Note: The third-party product discussed is manufactured by a vendor
    independent of Microsoft; we make no warranty, implied or otherwise,
    regarding this product's performance or reliability.

    Any update, let us get in touch!

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for the very comprehensive response. The servers in question are part
    of a workgroup. The odd thing is, it seems that only machines with IIS
    installed are creating this event log entry, and the pattern seems to be
    between 14 and 20 hours in between.
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Just to clarify - this is showing up in the Security Event log, not
    Application Event log.
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Have a look at www.eventid.net

    "Stephan Fix" <sfix@cybershift_nospam.com> wrote in message
    news:722E499F-4B10-43C4-BD38-E4DC12FBBC0E@microsoft.com...
    > I'm looking for information regarding Security Event Log events beyond
    > what
    > is available in the event log itself. Currently, I'm most interested in
    > what
    > a 643 event is on a standalone Windows 2000 server. We see this event
    > daily
    > on several machines, but not regular intervals. One interesting thing is
    > that all machines have IIS installed.
    >
    > The event says it is a password policy change, but there are no details as
    > to what the actual change was. When I go in and change the password
    > policy
    > on the local machine, the event gets generated but there is no more
    > information than the events that just "pop up" every once in a while. I
    > would appreciate any information either regarding this specific event ID
    > or
    > any (very detailed) reference explaining security event logs. I found a
    > KB
    > article referencing security events, but it just gives an example of what
    > you
    > would see in the event log anyway.
    > --
    > -Steve
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve,

    Thanks for the event log!

    After researching the event log, I have found the Caller User Name is
    CSMONITOR$ in the security log, it seems the system has raised this error.
    In addition, the caller Domain is DATACENTERNYC, I am a little unclear
    about this situation since you have stated it is a stand-alone machine.
    Please let me know DATACENTERNYC refers to a domain?

    An important cent is that I have found the corresponding application log
    "Event log 1704".

    Event log 1704 has indicated that security policy in the Group policy
    objects has been applied successfully. You can notice that at this time,
    security log 643 has been recorded in the security log.

    In the conclusion, one policy on CSMONITOR has been changed so that event
    log 1704 has been recorded in the application log and the corresponding
    security log 643.

    This is a normal behavior in a domain environment, please double check if
    the machine is in a domain (In My Computer's Properties->Computer Name tab,
    you can see the domain name). If it is a stand-alone machine, please
    compare the gpttmpl.inf file as I have mentioned to find out which policy
    has been changed.

    Please use the steps to check the status and post back if you have any
    update.

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    But, that's the problem. There was no change made. I'm aware of everything
    you stated below, and yest DATACENTERNYC is a workgroup so the event log is a
    bit confusing. Also, there is no gpttmpl.inf file on the machine.

    I set up another machine in a lab the same way as our DATACENTERNYC machines
    with IIS and the local security policy. Interestingly enough, Event 643 is
    NOT showing up in the logs. The only difference between the lab and
    production machines is Compaq management software.

    "Rebecca Chen [MSFT]" wrote:

    > Hi Steve,
    >
    > Thanks for the event log!
    >
    > After researching the event log, I have found the Caller User Name is
    > CSMONITOR$ in the security log, it seems the system has raised this error.
    > In addition, the caller Domain is DATACENTERNYC, I am a little unclear
    > about this situation since you have stated it is a stand-alone machine.
    > Please let me know DATACENTERNYC refers to a domain?
    >
    > An important cent is that I have found the corresponding application log
    > "Event log 1704".
    >
    > Event log 1704 has indicated that security policy in the Group policy
    > objects has been applied successfully. You can notice that at this time,
    > security log 643 has been recorded in the security log.
    >
    > In the conclusion, one policy on CSMONITOR has been changed so that event
    > log 1704 has been recorded in the application log and the corresponding
    > security log 643.
    >
    > This is a normal behavior in a domain environment, please double check if
    > the machine is in a domain (In My Computer's Properties->Computer Name tab,
    > you can see the domain name). If it is a stand-alone machine, please
    > compare the gpttmpl.inf file as I have mentioned to find out which policy
    > has been changed.
    >
    > Please use the steps to check the status and post back if you have any
    > update.
    >
    > Best regards,
    >
    > Rebecca Chen
    >
    > MCSE2000 MCDBA CCNA
    >
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    >
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    >
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve,

    According to your description, I suspect certain third-party application
    has changed the local policy to trgger this Event. If Compaq management
    software is installed on the productive machine, please install this
    applicatin on the test machine with the same configuration to observe the
    result.

    If possible, please remove Compaq management software from the production
    machine, what is the result?

    If the issue persists, please refer to the following link to gather the
    MpsReport on both production and the test machine, send them to
    v-rebc@microsoft.com for research.

    I look forward to your reply.

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    Here is the MpsReport link:

    Microsoft Product Support's Reporting Tools
    http://www.microsoft.com/downloads/details.aspx?FamilyID=cebf3c7c-7ca5-408f-
    88b7-f9c79b7306c0&displaylang=en

    Any update, let us get in touch!

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steve ,

    I am glad to hear this issue has gone after installing the patches. That is
    great!

    What kind of patch have you installed, Windows or Compaq management
    software ?

    For any reason, the system now is aware of that the policy ahs not been
    changed. :)

    Any update, let us get in touch!

    Best regards,

    Rebecca Chen

    MCSE2000 MCDBA CCNA


    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Steve said:
    ================
    Thanks for your help Rebecca, but we can stop looking into. I have
    installed some hotfixes that made the 643 event go away in all but one
    machine which can't be patched due to the applications installed.

    Thanks again,
    Steve Fix
Ask a new question

Read More

Security Windows