Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 643 Source: Security

Domain Policy Changed:
Password Policy modified
Domain: CORPDOM Domain ID: %{S-1-5-21-1390850448-2335789268-393128203}
Caller User Name: APPSERVER$
Caller Domain: ALTDOMAIN
Caller Logon ID: (0x0,0x3E7)
This event normally indicates a succesful change to the Windows 2000 AD security policies. However, this also is recorded when the Group Policies are applied (event id 1704 would indicate a successful application of Group Policies). As per a newsgroup posting of a Microsoft intrusion detection engineer, this is "normal behaviour" for Windows 2000.

From a newsgroup post: "Group policy is applied every 16 hours by default. If you have set any of the "security options" in a policy from the domain, then expect to see this event when those options are set".

See ME174074 and ME255295 for more details.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.