We use a piece of software to collate and interrogate the Security event logs from domain controllers (DCs) to indicate anyone changing the Audit Policy or Account Policy. In Windows NT, we looked for event ID 612 and event ID 643, respectively. In Windows 2000 Active Directory (AD), we've found that event ID 643 is produced every hour on each DC as Group Policy Objects (GPOs) are applied. Have you come across this problem, and have you found any equivalent events that give an idea of whether anyone is messing with the Audit or Account policies?

I know this is a problem in Windows 2000 until Service Pack 3 (SP3), which fixes it. On Win2K SP2 and earlier, domain controllers (DCs) log event ID 643 only if something about the domain actually changed. Event ID 643 on Windows Server 2003 also specifies the exact policies changed along with their new values.

Figure 1 shows an event ID 643 that a Windows 2003 machine logged when I changed two of the account lockout policies. Typically, event ID 643 identifies the user who changed the policy as the DC itself because administrators indirectly configure domain policies by editing GPOs, which are then applied by Windows.

On Windows 2003, you might come across an event ID 643 that identifies one of the domain administrators as the user but doesn't specify any changed policy values, as Figure 2 shows. I've deduced that this event is the result of the administrator changing the permissions on the root of the domain in Active Directory Users and Computers.