Windows Security Log Event ID 643

643: Domain Policy Changed

On this page

• Description of this event
• Field level details
• Examples
• Discuss this event

This event varies depending on the OS

Win2000

W2k logs frequent occurrences of this event even if you haven't changed your password policy. Each time Win2K applies Group Policy, it doesn't check to see whether the new and old policies are actually different. You can ignore event ID 643.

Win2003

Unlike w2k, w3 properly logs this event only when the password or lockout policy or domain mode changes. Additionally the actual settings changed are identified with their new values under Change Attributes.

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy:
Password Properties = "Password must meet complexity requirements" and "Store password using reversible encryption for all users in the domain"
- 0 = both complexity and reversible encryption disabled
1 = complexity enabled and reversible encryption disabled
- 16 = complexity disabled and reversible encryption enabled
- 17 = both complexity and reversible encryption enabled
Min. Password Age = Minimum password age
Max. Password Age = Maximum password age
Min. Password Length = Minimum password length
Password History Length = Enforce password history

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy:
Lockout Threshold = Account lockout threshold
Lockout Observation Window = Reset account lockout counter after
Lockout Duration = Account lockout duration

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
Force Logoff = Network security: Force logoff when logon hours expire

Free Security Log Quick Reference Chart

Description Fields in 643 Domain Policy Changed: %1 modified Domain Name:  %2 Domain ID: %3 Caller User Name: %4 Caller Domain: %5 Caller Logon ID: %6 Privileges: %7 Changed Attributes: (the following fields do not appear in Windows 2000) Min. Password Age: %8 Max. Password Age: %9 Force Logoff: %10 Lockout Threshold: %11 Lockout Observation Window: %12 Lockout Duration: %13 Password Properties: %14 Min. Password Length: %15 Password History Length: %16 Machine Account Quota: %17   Mixed Domain Mode: %18 Domain Behavior Version: %19 OEM Information: %20 Top 10 Events to Monitor Examples of 643 Win2000 Domain Policy Changed: Password Policy modified Domain:ELMW2 Domain ID:ELMW2 Caller User Name:W2DC$ Caller Domain:ELMW2 Caller Logon ID:(0x0,0x3E7) Privileges:- Win2003 Domain Policy Changed: - modified Domain Name:ELM Domain ID:ELM Caller User Name:administrator Caller Domain:ELM Caller Logon ID:(0x0,0x158EB7) Privileges:- Changed Attributes: Min. Password Age:- Max. Password Age:- Force Logoff:- Lockout Threshold:- Lockout Observation Window:- Lockout Duration:- Password Properties:- Min. Password Length:- Password History Length:- Machine Account Quota:- Mixed Domain Mode:- Domain Behavior Version:2 OEM Information:- Keep me up-to-date on the Windows Security Log. Email*: *We will NOT share this

Training for the Windows Security Log Security Log Secrets In-Depth Training On-Site or On-Demand Security Log Resource Kit

Mini-Seminars Covering Event ID 643 Monitoring Active Directory for Security and Compliance: How Far Does the Native Audit Log Take You?

Discussions on Event ID 643 Ask a question about this event