If auditing is enabled (Account Management), it will show you that the
administrator password has been changed. Not much help since you know it
has been changed.
Look for event ids 627 and 628, setting a filter will lhelp.
http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html
--
Paul Bergson
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Andrew Story" <andrewDOTstoryATjameswalkerDOTbiz> wrote in message
news:eNc3vBt4GHA.4352@TK2MSFTNGP03.phx.gbl...
> An admin has done this, is there anyway to find out which account was
> responsible for this?
>
> Any info much appreciated (as always)
>
>