All passwords were expired by what?

user165568 asked:

Possible Duplicate:
What Win-2003 security policy expired all passwords, and how did it do it?

Most of our user passwords were reset at 4:30pm local time over the weekend (non working day). Not the administrator account, but it did include some security enabled user groups that aren’t actually login accounts.

It’s possible that this was a virus or a break-in, but I’m thinking more likely it was an unknown act of stupidity and ignorance.

What kind of policy or security setting would cause the passwords to all expire at the same time? The accounts that are login accounts are all set to never expire.

I am asking for SPECIFIC information about Group Policy or Active Directory Account Settings. If you do not think this was caused by Group Policy or AD Accont Settings, please say so. All of the Accounts that reset were in one OU.

Clarification/Correction: The passwords were not changed, they were only expired. (This has the effect that offsite users could not connect, but when users arrived on-site, they were able to connect using the expired password).

Further information: event log shows SceCli event 1704 at the critical moment: “Security policy in the Group policy objects has been applied successfully.”

I’m painfully going through the group policy settings now. Specific suggestions would be welcome.
I do not know how a Group policy could be applied without me knowing. Specific explanations would be welcome.

moved to new question:

PS: There is a comment here: let me know and I’ll re-open this one. – voretaq7♦ yesterday

But no contact information.

PSS: There is a comment here: If this question and the other are identical please edit the other one as needed to incorporate all relevant information and delete this one. >But I started a new question because there are comments here telling me I should start a new question, because the new question is not identical. If you don’t agree with them, tell us why they are wrong. I’m in the middle of a war about when new questions should be started???

My answer:

Look in your security event log on the domain controller for event ID 628. If passwords were reset by someone other than the user himself, this event should have been recorded for each user whose password was reset. The details should tell you who changed the password.

If passwords had simply expired, you would see event ID 535 logged when an affected user tries to log in.

Also look for other events around the time period that you believe this happened. You may find other events logged that will give you a clue as to what happened.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.