Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Check Who Reset the Password of a User in Active Directory

June 18, 2018 Active DirectoryPowerShell

How to Check Who Reset the Password of a User in Active Directory

Let’s see how to track who reset the password of the particular user account in Active Directory using domain controllers security logs.

You can track password reset events using audit policies. First of all, you need to enable the audit account management policies in your AD domain. To do it:

  1. Open Group Policy Management (gpmc.msc) console and edit Default Domain Policy. edit default domain policy
  2. Then in the Group Policy Editor, go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
  3. Find Audit User Account Management policy and enable it (if you want to log both successful and failed attempts of changing passwords, select Success and Failure).
    Note. You can enable this policy in the Advanced Audit Policy section as well (Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration).account managment policy in advanced audit policy

  4. After applying the GPO on the clients, you can try to change the password of any AD user.
  5. Then open the Event Viewer on your domain controller and go to Event Viewer -> Windows Logs -> Security. Right-click the log and select Filter Current Log. filter current security log
  6. In the filter parameters, specify that you only need to display events with the EventID 4724. filter log eventis 4724
  7. Only the events of successful password change will be left in the list. (An attempt was made to reset an account’s password.) In the information about the event you can see the administrator account who has changed the password (Subject:) and the name of the user account whose password has been reset (Target Account:). event 4724 An attempt was made to reset an account’s password
Tip. To get more information about the events of changing user passwords, add the following EventIDs to the filter:

  1. 4724 (628 in previous Windows Server versions) – An attempt was made to reset an account’s password (administrator reset user password)
  2. 4723 (627 in previous Windows Server versions) – An attempt was made to change an account’s password (the user changed the password himself)

You can get the information about this events from all Active Directory domain controllers using Get-ADComputer and Get-WinEvent PowerShell cmdlets:
(Get-ADComputer -SearchBase ‘OU=Domain Controllers,DC=woshub,DC=com’ -Filter *).Name | foreach {
Get-WinEvent -ComputerName $_ -FilterHashtable @{LogName="Security";ID=4724 }| Foreach {
$event = [xml]$_.ToXml()
if($event)
{
$Time = Get-Date $_.TimeCreated -UFormat "%Y-%d-%m %H:%M:%S"
$AdmUser = $event.Event.EventData.Data[4]."#text"
$User = $event.Event.EventData.Data[0]."#text"
$dc = $event.Event.System.computer
write-host “Admin ” $AdmUser “ resets password to ” $User “ on ” $dc “ “ $Time
}
}
}

How to track who reset the password of a user in Active Directory using powershell

If necessary, you can save this info directly from PowerShell to an external MySQL database using MySQL .NET Connector according to the similar script described in the article How to detect who deleted a file from Windows shared folder.

3 comments
0
Facebook Twitter Google + Pinterest
previous post
Error 0x0000007e: Windows cannot connect to network printer, Operation failed
next post
Complete List of Windows Update Error Codes

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Changing Desktop Background Wallpaper in Windows through GPO
  • Active Directory Dynamic User Groups with PowerShell
  • Restricting Group Policy with WMI Filtering
  • How To Monitor AD Group Changes Using PowerShell
  • How to Deploy SSL Certificate on a Computers Using GPO?
  • Configuring Kerberos Authentication in Different Browsers
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top