There are more one one DCs (DC1 and DC2, DC1 is the PDC Emulator) in a domain. An administrator changes an AD user account attribute, e.g. changing password/unlocking account, on DC2.
On DC2, two security events (628 (for password reset) and 642) are logged with the administrator user id. On DC1 (the PDC emulator), only one event (642) is logged with NT Authority\Anonymous Logon.
I agree the event ID 642 on DC1 is created by the replication of the changes to the DC holding the PDC Emulator role. Sometimes, I also see this happened on a non PDC Emulator DC.
No comments:
Post a Comment