AnsweredAssumed Answered

Password never expire - alerting

Question asked by RSA Admin Employee on Jan 29, 2014
Latest reply on Oct 11, 2016 by Michail Piskoun

Hi SA community,

 

I am trying to create an alert in order to be informed when the windows domain-admin changes a user-account for "never-expire"..

This is logged via event-id 4738 (security) in fact.

This event has many attributes though, the one related with my alert is under "User Account Control" attribute --> 'Don't Expire Password'

 

I wonder if SA keeps the related metadata of event-id 4738 ??

Has anyone experienced this kind of situation ??

 

Thanks

 

Here is an example of such event:

A user account was changed. Subject: Security ID: NTD_xxx/Andyxxx Account Name: Andyxxx Account Domain: NTD_xxx Logon ID: 0xe8d8873 Target Account: Security ID: NTD_xxx/E_ATxxx Account Name: E_ATxxx Account Domain: NTD_xxx Changed Attributes: SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x210 User Account Control: 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: - Additional Information: Privileges: -


Outcomes