locked
NT Authority\Anonymous Login displaying as the user in event logs RRS feed

  • Question

  • Hi Everyone,

    My active directory set up is a 2 x server 2003 dc's with a 2003 native forest and domain running in vmware. There is also a server 2003 member server

    When I change a password using active directory users and computers, in the event logs I get the usual 628 password reset event id and the 642 account change event id, both saying my account changed the password.

    However, occasionally the 642 event lists the user who performed the action as NT Authority\Anonymous Logon

    I am not able to replicate this event on purpose and am trying to understand what causes it. I have googled it but none of the answers previously given seem to fit my situation

    Any help would be appreciated
    Tuesday, September 29, 2009 12:27 PM

Answers

  • I am looking for the link that is buried somewhere on technet, but, in the mean time:

    When you look at the other domain controller, do you see a differing result?

    My logic --

    A password can be reset at any Domain controller, and then that password change is pushed to the PDC emulator and the other DCs.  It would make sense to me that the event log on the first DC would show the correct user ID as the initiator, but then in all the other DCs something cryptic like NT Authority\Anonymous Logon would show up as the password change gets pushed around.

    Let me know what you see on the other DC,
    Aaron Sankey, Avanade
    Tuesday, September 29, 2009 5:53 PM

All replies

  • I am looking for the link that is buried somewhere on technet, but, in the mean time:

    When you look at the other domain controller, do you see a differing result?

    My logic --

    A password can be reset at any Domain controller, and then that password change is pushed to the PDC emulator and the other DCs.  It would make sense to me that the event log on the first DC would show the correct user ID as the initiator, but then in all the other DCs something cryptic like NT Authority\Anonymous Logon would show up as the password change gets pushed around.

    Let me know what you see on the other DC,
    Aaron Sankey, Avanade
    Tuesday, September 29, 2009 5:53 PM
  • Hi Aaron,

    thanks for the reply

    in the event logs on the domain controller where i made the change, the username displayed correctly and on the other dc, only an anonymous 642 event showed. Initially I also believed this to be the result of the change replicating across dc's.

    However after further testing I have been unable to purposely create an anonymous login event. As far as I can tell, in the usual course of events, the 628 and 642 id shows in the event logs of dc the change is made on and no entry is logged in the other dc's logs.

    AFAIK thats whats supposed to happen as i remember having to use a tool called lockoutstatus.exe to determine which dc initially locked out an accout so you could grab its logs, as the events aren't replicated.

    If that is the case then i'm at a loss to explain the anomalous 642 event
    Tuesday, September 29, 2009 8:20 PM
  • Computer accounts or domain controllers have passwords and those can also get reset and generate a log.

    Are you sure that 642 event ID is from your password reset?  If you are sure that this is from your password reset, can you post a copy of your "anonymous 642"?

    Thanks,
    Aaron Sankey, Avanade
    Tuesday, September 29, 2009 8:55 PM
  • If we're talking about the computer password used to establish the secure channel, doesn't that generate a 646 event id in the log when changed rather then a 642?

    Here are the event logs. Just to recap there are 2 dc's (DMC001 & MEM001). the password for user account reptest was changed on MEM001 by user account lp

    this is from DMC001
    Event Type:    Success Audit
    Event Source:    Security
    Event Category:    Account Management
    Event ID:    642
    Date:        9/29/2009
    Time:        11:16:21 AM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    DMC001
    Description:
    User Account Changed:
         Target Account Name:    RepTest
         Target Domain:    BLUESUN
         Target Account ID:    BLUESUN\RepTest
         Caller User Name:    DMC001$
         Caller Domain:    BLUESUN
         Caller Logon ID:    (0x0,0x3E7)
         Privileges:    -
     Changed Attributes:
         Sam Account Name:    -
         Display Name:    -
         User Principal Name:    -
         Home Directory:    -
         Home Drive:    -
         Script Path:    -
         Profile Path:    -
         User Workstations:    -
         Password Last Set:    29/09/2009 11:16:21
         Account Expires:    -
         Primary Group ID:    -
         AllowedToDelegateTo:    -
         Old UAC Value:    -
         New UAC Value:    -
         User Account Control:    -
         User Parameters:    -
         Sid History:    -
         Logon Hours:    -


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    These are from MEM001

    Event Type:    Success Audit
    Event Source:    Security
    Event Category:    Account Management
    Event ID:    628
    Date:        29/09/2009
    Time:        11:16:21
    User:        BLUESUN\lp
    Computer:    MEM001
    Description:
    User Account password set:
         Target Account Name:    RepTest
         Target Domain:    BLUESUN
         Target Account ID:    BLUESUN\RepTest
         Caller User Name:    lp
         Caller Domain:    BLUESUN
         Caller Logon ID:    (0x0,0x40C94)


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type:    Success Audit
    Event Source:    Security
    Event Category:    Account Management
    Event ID:    642
    Date:        29/09/2009
    Time:        11:16:21
    User:        BLUESUN\lp
    Computer:    MEM001
    Description:
    User Account Changed:
         Target Account Name:    RepTest
         Target Domain:    BLUESUN
         Target Account ID:    BLUESUN\RepTest
         Caller User Name:    lp
         Caller Domain:    BLUESUN
         Caller Logon ID:    (0x0,0x40C94)
         Privileges:    -
     Changed Attributes:
         Sam Account Name:    -
         Display Name:    -
         User Principal Name:    -
         Home Directory:    -
         Home Drive:    -
         Script Path:    -
         Profile Path:    -
         User Workstations:    -
         Password Last Set:    9/29/2009 11:16:21 AM
         Account Expires:    -
         Primary Group ID:    -
         AllowedToDelegateTo:    -
         Old UAC Value:    -
         New UAC Value:    -
         User Account Control:    -
         User Parameters:    -
         Sid History:    -
         Logon Hours:    -


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Tuesday, September 29, 2009 9:31 PM
  • Hi Aaron,

    It seems my virtual labs were playing up a bit yesterday and replication between the dc's was not happening as it should.

    I've done more exhaustive testing today and can confirm that the nt authority\anonymous login 642 event IS a replication of the account change from the originating DC to the PDC emulator. It only seems to happen in that too (dc --> pdc emulator)

    Thanks for all your help

    Lee
    Wednesday, September 30, 2009 12:54 PM
  • Glad you could nail it down :)

    Luck,
    Aaron Sankey, Avanade
    Wednesday, September 30, 2009 3:26 PM
  • I found this discussion very enlightening.

    I see some evidence - I haven't come to a final conclusion - that the Anonymous Logon changing people's password (additionally?) could be when the password expires and a person changes their password at the time of their final warning.  

    I came across this phenomena when I discovered an "anonymous logon" changing a person's password and no other log entry;  I was trying to reconcile this against the conversation so far.

    Running a Windows2008 AD environment.

    Friday, May 4, 2012 2:50 PM
  • Thanks for the hints here; based upon the above and reports I've generated, it certainly points to the fact that when a password expires, a 642 with Anonymous login is generated at the same time.
    • Proposed as answer by MaraNichols Friday, February 14, 2020 2:12 PM
    Monday, May 28, 2012 11:23 AM