Windows Security Log Event ID 643

643: Domain Policy Changed

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event varies depending on the OS

Win2000

W2k logs frequent occurrences of this event even if you haven't changed your password policy. Each time Win2K applies Group Policy, it doesn't check to see whether the new and old policies are actually different. You can ignore event ID 643.

Win2003

Unlike w2k, w3 properly logs this event only when the password or lockout policy or domain mode changes. Additionally the actual settings changed are identified with their new values under Change Attributes.

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy:
Password Properties = "Password must meet complexity requirements" and "Store password using reversible encryption for all users in the domain"
- 0 = both complexity and reversible encryption disabled
1 = complexity enabled and reversible encryption disabled
- 16 = complexity disabled and reversible encryption enabled
- 17 = both complexity and reversible encryption enabled
Min. Password Age = Minimum password age
Max. Password Age = Maximum password age
Min. Password Length = Minimum password length
Password History Length = Enforce password history

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy:
Lockout Threshold = Account lockout threshold
Lockout Observation Window = Reset account lockout counter after
Lockout Duration = Account lockout duration

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
Force Logoff = Network security: Force logoff when logon hours expire

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 643

• Domain Policy Changed: %1 modified
• Domain Name:  %2
• Domain ID: %3
• Caller User Name: %4
• Caller Domain: %5
• Caller Logon ID: %6
• Privileges: %7
• Changed Attributes: (the following fields do not appear in Windows 2000)
• Min. Password Age: %8
• Max. Password Age: %9
• Force Logoff: %10
• Lockout Threshold: %11
• Lockout Observation Window: %12
• Lockout Duration: %13
• Password Properties: %14
• Min. Password Length: %15
• Password History Length: %16
• Machine Account Quota: %17  
• Mixed Domain Mode: %18
• Domain Behavior Version: %19
• OEM Information: %20

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Mini-Seminars Covering Event ID 643 Monitoring Active Directory for Security and Compliance: How Far Does the Native Audit Log Take You? Top 5 Daily Reports for Monitoring Windows Servers Building a Security Dashboard for Your Senior Executives

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy