We use a piece of software to collate and interrogate the Security
event logs from domain controllers (DCs) to indicate anyone changing the Audit
Policy or Account Policy. In Windows NT, we looked for event ID 612 and event
ID 643, respectively. In Windows 2000 Active Directory (AD), we've found that
event ID 643 is produced every hour on each DC as Group Policy Objects (GPOs)
are applied. Have you come across this problem, and have you found any equivalent
events that give an idea of whether anyone is messing with the Audit or Account
policies?
I know this is a problem in Windows 2000 until Service Pack 3 (SP3), which fixes it. On Win2K SP2 and earlier, domain controllers (DCs) log event ID 643 only if something about the domain actually changed. Event ID 643 on Windows Server 2003 also specifies the exact policies changed along with their new values.
Figure 1 shows an event ID 643 that a Windows
2003 machine logged when I changed two of the account lockout policies. Typically,
event ID 643 identifies the user who changed the policy as the DC itself because
administrators indirectly configure domain policies by editing GPOs, which are
then applied by Windows.
On Windows 2003, you might come across an event ID 643 that identifies one
of the domain administrators as the user but doesn't specify any changed policy
values, as Figure 2 shows. I've deduced that
this event is the result of the administrator changing the permissions on the
root of the domain in Active Directory Users and Computers.