sec event log question (change to Encrypted Data Recovery Policy)

["Portman, Timm" <TPortman () parts-unltd com>]

Below is an example of an event I have not seen before, that I can't seem to
find much information about. If anyone has any information or resources on
this event, I'd really appreciate a schooling. 

I first noticed this about a week ago on one server that is connected to the
internet (a tomcat java server) and occurred right after a reboot of that
server. 

2 days later, a different server (a sql2k development box) in my domain was
rebooted (used by the same developers as the tomcat server) by a tech adding
a hard drive, and the same event was recorded. 

3 days later, a third box (an IIS/Tomcat Intranet server *tomcat IS exposed
to the internet, though on a non-common port) was rebooted and a third
instance of this message was recorded. 

Thanks, 

-Timm

Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change 
Event ID:       618
Date:           2002/10/15
Time:           08:50:19
User:           NT AUTHORITY\SYSTEM
Computer:       LEMANSSITE
Description:
Encrypted Data Recovery Policy Changed:
 Changed By:
        User Name:      <...SNIP...>$
        Domain Name:    <...SNIP...>
        Logon ID:       (0x0,0x3E7)
 Changes made:
 ('--' means no changes, otherwise each change is shown as:
 <ParameterName>: <new value> (<old value>))
 PolEfDat: <binary data> (<binary data>);  

Timm Portman
Senior Network Specialist
LeMans Corporation,
Janesville, WI 
(608)758-1111-x5545