Maybe I am wrong, but as far as I can tell, Windows NT does not record event id 645. The MsAuditE.dll file (the file containing all the event templates) does not contain a template for this event. Did you ever get the 645 event on the Windows NT server? Here is the list of events listed in the MsAuditE.dll file on a Windows NT SP6a: http://www.eventid.net/downloads/ntsp6security.txt and here is the same file on a Windows 2000 Professional: http://www.eventid.net/downloads/w2kprofsecurity.txt Regards, Adrian Grigorof www.eventid.net ----- Original Message ----- From: "Brian Erdelyi" <brian_erdelyi@private> To: <loganalysis@private> Sent: Tuesday, October 05, 2004 2:30 PM Subject: [logs] Windows Events - "User Account Created" and "ComputerAccount Created" > I have a situation where a "User Account Created" was > logged unexpectedly. I followed up and discovered > that a technician had installed a new computer and > added it to the domain. I even verified by > correlating the event against user accounts and > computer accounts. > > To summarize, Windows logged "User Account Created" > (EventID 624) instead of "Computer Account Created" > (EventID 645). This is Windows NT 4 running as a > primary domain controller. I'm certain the latest > service packs are installed and about to confirm. I > could not find any relvevant MS knowledge base > articles or hits in Google. Has anyone every seen > similar unusual behaviour? _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Oct 07 2004 - 10:43:35 PDT