Event ID 643 - Domain Policy Changed
|Sub category||Audit Authentication Policy Change|
|Description||Domain policy was changed|
When a user account is deleted in Active Directory, event ID 643 gets logged.
This log data gives the following information:
|Changes made||Min. Password Age
Max. Password Age
Lockout Observation Window
Min. Password Length
Password History Length
Machine Account Quota
Mixed Domain Mode
Domain Behavior Version
Why event ID 643 needs to be monitored?
- Prevention of privilege abuse
- Detection of potential malicious activity
- Operational purposes like getting information on user activity like user attendance, peak logon times, etc.
- Compliance mandates
Real-time Group Policy change audit reports from ADAudit Plus audits all changes that happen to a Group Policy object over its lifetime and provides a clear insight on the history of changes made to the Group Policy object.
Event 643 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID for 643 in Windows Server 2008 and Vista is 4739