RE: sec event log question (change to Encrypted Data Recovery Pol icy)

["Portman, Timm" <TPortman () parts-unltd com>]

except it doesn't re-occurr with each reboot, and I've not seen it on other
servers. I'm wondering if it is a security concern or something normal and
ignorable like a MS critical update patch making a system change. 

-----Original Message-----
From: Odhner, Christian [mailto:Christian.Odhner () netapp com]
Sent: 17 October 2002 12:34
To: 'Portman, Timm'; 'security-basics () securityfocus com'
Subject: RE: sec event log question (change to Encrypted Data Recovery
Pol icy)


>  PolEfDat: <binary data> (<binary data>);  

If I had to guess (and I do, because I have no actual
knowledge or experience with this) I would say that
PolEfDat means "Policy Effective Date", ie the date
and time that the policy most recently started being
enforced. This would make sense because it's changing
each time you reboot the system.

-Chris



--Original Sec-event log message:

Event Type:     Success Audit
Event Source:   Security
Event Category: Policy Change 
Event ID:       618
Date:           2002/10/15
Time:           08:50:19
User:           NT AUTHORITY\SYSTEM
Computer:       <...SNIP...>
Description:
Encrypted Data Recovery Policy Changed:
 Changed By:
        User Name:      <...SNIP...>$
        Domain Name:    <...SNIP...>
        Logon ID:       (0x0,0x3E7)
 Changes made:
 ('--' means no changes, otherwise each change is shown as:
 <ParameterName>: <new value> (<old value>))
 PolEfDat: <binary data> (<binary data>);