SRV 16 AD PASSWD.txt shows entries

BR0KK 641 Reputation points
2021-03-17T09:45:33.507+00:00

Hi,

im currently going through my AD and Exchange servers and on one of them i found somethin suspicious in the PASSWD.txt ( C:\Windows\debug)

System:

SRV 16 Essentials as AD DHCP DNS and fileserver

There are 3 entries that ther was an attemt to change the password of secific users:

MediaAdmin$
edv (My Std. Admin)
ServerAdmin$

I changed the PW for EDV myself but what do the other entries mean?

MediaAdmin$ seems to be the User for the Essentials Console ?

Under Eventmgr i can see the ID 4724 and 4742 ...

What does that mean in plain english

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,609 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,321 Reputation points Microsoft Vendor
    2021-03-18T07:21:47.973+00:00

    Hi,
    Event 4724 :This event generates every time an account attempted to reset the password for another account. This is the account audit policy user for the security reason to monitor who changes the accounts in the domain.
    Event 4742:This event generates every time a computer object is changed.
    Based on my research,
    a. MediaAdmin: Service account used by Windows Server Essentials Media Streaming Service during configuration
    b. ServerAdmin : Service account used by Windows Server Essentials Management Service during configuration

    If possible, would you pleas share a screenshot of the events.(You can hide the private information)

    Best Regards,