Windows Security Log Event ID 643

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryAccount Management
Type Success
Corresponding events
in Windows 2008
and Vista
4739  
Discussions on Event ID 643
Ask a question about this event

643: Domain Policy Changed

On this page

This event varies depending on the OS

Win2000

W2k logs frequent occurrences of this event even if you haven't changed your password policy. Each time Win2K applies Group Policy, it doesn't check to see whether the new and old policies are actually different. You can ignore event ID 643.

Win2003

Unlike w2k, w3 properly logs this event only when the password or lockout policy or domain mode changes. Additionally the actual settings changed are identified with their new values under Change Attributes.

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy:
Password Properties = "Password must meet complexity requirements" and "Store password using reversible encryption for all users in the domain"
- 0 = both complexity and reversible encryption disabled
1 = complexity enabled and reversible encryption disabled
- 16 = complexity disabled and reversible encryption enabled
- 17 = both complexity and reversible encryption enabled
Min. Password Age = Minimum password age
Max. Password Age = Maximum password age
Min. Password Length = Minimum password length
Password History Length = Enforce password history

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy:
Lockout Threshold = Account lockout threshold
Lockout Observation Window = Reset account lockout counter after
Lockout Duration = Account lockout duration

The following Changed Attributes correspond to settings group policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
Force Logoff = Network security: Force logoff when logon hours expire

Free Security Log Resources by Randy

Description Fields in 643

  • Domain Policy Changed: %1 modified
  • Domain Name:  %2
  • Domain ID: %3
  • Caller User Name: %4
  • Caller Domain: %5
  • Caller Logon ID: %6
  • Privileges: %7
  • Changed Attributes: (the following fields do not appear in Windows 2000)
  • Min. Password Age: %8
  • Max. Password Age: %9
  • Force Logoff: %10
  • Lockout Threshold: %11
  • Lockout Observation Window: %12
  • Lockout Duration: %13
  • Password Properties: %14
  • Min. Password Length: %15
  • Password History Length: %16
  • Machine Account Quota: %17  
  • Mixed Domain Mode: %18
  • Domain Behavior Version: %19
  • OEM Information: %20

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 643

Win2000

Domain Policy Changed: Password Policy modified
Domain:ELMW2
Domain ID:ELMW2
Caller User Name:W2DC$
Caller Domain:ELMW2
Caller Logon ID:(0x0,0x3E7)
Privileges:-

Win2003

Domain Policy Changed: - modified
Domain Name:ELM
Domain ID:ELM
Caller User Name:administrator
Caller Domain:ELM
Caller Logon ID:(0x0,0x158EB7)
Privileges:-
Changed Attributes:
Min. Password Age:-
Max. Password Age:-
Force Logoff:-
Lockout Threshold:-
Lockout Observation Window:-
Lockout Duration:-
Password Properties:-
Min. Password Length:-
Password History Length:-
Machine Account Quota:-
Mixed Domain Mode:-
Domain Behavior Version:2
OEM Information:-

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources