Security Event ID 642 Logged Incorrectly for Audits

• Microsoft Windows NT Workstation versions 3.5 and 3.51
• Microsoft Windows NT Server versions 3.5 and 3.51

SYMPTOMS

If you set up for User and Group Management Audit policy on a Windows NT primary domain controller (PDC), Event ID 642 appears. The security event indicates that a user account has changed even though no changes have occurred. This event is logged when a client computer logs on or logs off the Windows NT domain.

CAUSE

When a client computer attempts a logon, the PDC normally updates the client account to record statistics. One primary statistic is Last Logon Time. This information is sometimes displayed by network clients during a logon sequence. The code in SAMSRV.DLL that handles audits does not supress auditing of record changes due to statistics updates.

RESOLUTION

To correct this problem, apply the fix mentioned below:.

For Windows NT 3.5, call Microsoft Product Support for an updated file. For Windows NT 3.51, install Windows NT 3.51 Service Pack 5 or later.

To resolve this problem, upgrade to Windows NT Workstation and Server version 4.0.

STATUS

Microsoft has confirmed this to be a problem in Windows NT versions 3.5 and 3.51. This problem was corrected in Windows NT Workstation or Server version 4.0. This problem was also corrected in the latest Windows NT 3.51 U.S. Service Pack. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces):

   S E R V P A C K