DOCUMENT:Q148929 08-AUG-2001 [winnt] TITLE :Security Event ID 642 Logged Incorrectly for Audits PRODUCT :Microsoft Windows NT PROD/VER:winnt:3.5,3.51 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation versions 3.5, 3.51 - Microsoft Windows NT Server versions 3.5, 3.51 ------------------------------------------------------------------------------- SYMPTOMS ======== If you set up for User and Group Management Audit policy on a Windows NT primary domain controller (PDC), Event ID 642 appears. The security event indicates that a user account has changed even though no changes have occurred. This event is logged when a client computer logs on or logs off the Windows NT domain. CAUSE ===== When a client computer attempts a logon, the PDC normally updates the client account to record statistics. One primary statistic is Last Logon Time. This information is sometimes displayed by network clients during a logon sequence. The code in SAMSRV.DLL that handles audits does not supress auditing of record changes due to statistics updates. RESOLUTION ========== To correct this problem, apply the fix mentioned below:. For Windows NT 3.5, call Microsoft Product Support for an updated file. For Windows NT 3.51, install Windows NT 3.51 Service Pack 5 or later. To resolve this problem, upgrade to Windows NT Workstation and Server version 4.0. STATUS ====== Microsoft has confirmed this to be a problem in Windows NT versions 3.5 and 3.51. This problem was corrected in Windows NT Workstation or Server version 4.0. This problem was also corrected in the latest Windows NT 3.51 U.S. Service Pack. For information on obtaining the Service Pack, query on the following word in the Microsoft Knowledge Base (without the spaces): S E R V P A C K Additional query words: prodnt 3.50 3.51 user manager usrmgr ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNT351search kbWinNT350search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTSsearch kbWinNTS351 kbWinNTS350 kbWinNTS351search kbWinNTS350search Version : winnt:3.5,3.51 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.