Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Check Who Reset the Password of a User in Active Directory

June 18, 2018 Active DirectoryPowerShell

How to Check Who Reset the Password of a User in Active Directory

Let’s see how to track who reset the password of the particular user account in Active Directory using domain controllers security logs.

You can track password reset events using audit policies. First of all, you need to enable the audit account management policies in your AD domain. To do it:

  1. Open Group Policy Management (gpmc.msc) console and edit Default Domain Policy. edit default domain policy
  2. Then in the Group Policy Editor, go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
  3. Find Audit User Account Management policy and enable it (if you want to log both successful and failed attempts of changing passwords, select Success and Failure).
    Note. You can enable this policy in the Advanced Audit Policy section as well (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration).

    account managment policy in advanced audit policy

  4. After applying the GPO on the clients, you can try to change the password of any AD user.
  5. Then open the Event Viewer on your domain controller and go to Event Viewer -> Windows Logs -> Security. Right-click the log and select Filter Current Log. filter current security log
  6. In the filter parameters, specify that you only need to display events with the EventID 4724. filter log eventis 4724
  7. Only the events of successful password change will be left in the list. (An attempt was made to reset an account’s password.) In the information about the event you can see the administrator account who has changed the password (Subject:) and the name of the user account whose password has been reset (Target Account:). event 4724 An attempt was made to reset an account’s password
Tip. To get more information about the events of changing user passwords, add the following EventIDs to the filter:

  1. 4724 (628 in previous Windows Server versions) – An attempt was made to reset an account’s password (administrator reset user password)
  2. 4723 (627 in previous Windows Server versions) – An attempt was made to change an account’s password (the user changed the password himself)

You can get the information about this events from all Active Directory domain controllers using Get-ADComputer and Get-WinEvent PowerShell cmdlets:
(Get-ADComputer -SearchBase ‘OU=Domain Controllers,DC=woshub,DC=com’ -Filter *).Name | foreach {
Get-WinEvent -ComputerName $_ -FilterHashtable @{LogName="Security";ID=4724 }| Foreach {
$event = [xml]$_.ToXml()
if($event)
{
$Time = Get-Date $_.TimeCreated -UFormat "%Y-%d-%m %H:%M:%S"
$AdmUser = $event.Event.EventData.Data[4]."#text"
$User = $event.Event.EventData.Data[0]."#text"
$dc = $event.Event.System.computer
write-host “Admin ” $AdmUser “ resets password to ” $User “ on ” $dc “ “ $Time
}
}
}

How to track who reset the password of a user in Active Directory using powershell

If necessary, you can save this info directly from PowerShell to an external MySQL database using MySQL .NET Connector according to the similar script described in the article How to detect who deleted a file from Windows shared folder.

3 comments
0
Facebook Twitter Google + Pinterest
previous post
Sending Emails from Excel using VBA Macro and Outlook
next post
Fix: CDPUserSvc Has Stopped Working in Windows 10 / Windows Server 2016

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

How to Delete Old User Profiles in Windows?

January 25, 2023

3 comments

Dead-Red January 16, 2019 - 8:07 pm

Hello,

You have a great, but why edit the Default Domain Policy and not Default Domain Controllers Policy ?

Best Regards

Reply
raj February 8, 2019 - 1:03 am

Hi

Am really impressed by this PS script that will fetch the “User’s ( single user) Password History ” however am not sure where in below script we have to specify the user name,
Can any one help me on the same and if you already used this please post the place where i can input the user name
for which we get history of the password reset…You can get the information about this events from all Active Directory domain controllers using Get-ADComputer and Get-WinEvent PowerShell cmdlets:
(Get-ADComputer -SearchBase ‘OU=Domain Controllers,DC=woshub,DC=com’ -Filter *).Name | foreach {
Get-WinEvent -ComputerName $_ -FilterHashtable @{LogName=”Security”;ID=4724 }| Foreach {
$event = [xml]$_.ToXml()
if($event)
{
$Time = Get-Date $_.TimeCreated -UFormat “%Y-%d-%m %H:%M:%S”
$AdmUser = $event.Event.EventData.Data[4].”#text”
$User = $event.Event.EventData.Data[0].”#text”
$dc = $event.Event.System.computer
write-host “Admin ” $AdmUser “ resets password to ” $User “ on ” $dc “ “ $Time
}
}
}

Reply
dart February 8, 2019 - 5:09 pm

You can try to replace the folowing code line in the above PowerShell script:
write-host “Admin ” $AdmUser “ resets password to ” $User “ on ” $dc “ “ $Time
to
if ($user -eq “a_smith” – {write-host “Admin ” $AdmUser “ resets password to ” $User “ on ” $dc “ “ $Time}

a_smith – is the username for wich you want to get the password reset history in AD.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Disable NTLM Authentication in Windows Domain?
  • Active Directory Dynamic User Groups with PowerShell
  • Restricting Group Policy with WMI Filtering
  • How to Add, Edit, Deploy and Import Registry Keys through GPO?
  • LAPS: Manage Local Administrator Passwords on a Domain Computers
  • How To Monitor AD Group Changes Using PowerShell
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top