Not knowing who can read, change, delete or modify passwords is a blind spot within your Active Directory security that many organizations simply ignore. As the rights to access, handle, and share critical business are delegated through the Active Directory network; hackers view it as the ultimate prize, and will make many attempts to subvert your security by attempting to guess passwords. When your Active Directory accounts are accessed by anyone other than the designated IT administrator or account owner, it’s entirely possible that your accounts have been hacked. To defend against this, IT administrators must regularly monitor their user account passwords. Collecting information, such as when was the last password set for an account, password’s expiration date and other logs, saves an organization from devastating events of data leakage.
In this article, the steps to detect password changes using native auditing and LepideAuditor will be discussed.
Step 1: Configuring Group Policy Settings
- Go to “Start Menu” ➔ “All Programs” ➔ “Administrative Tools” and double-click “Group Policy Management” to access its window.
NOTE: You can also open “Run” dialog box from the start menu, type “GPMC.MSC” and click “OK” to access Group Policy Management console.
- In the left panel of Group Policy Management Console, go to “Forest” ➔ “Domains” ➔ “www.domain.com.”
- Double-click “www.domain.com” and navigate to “Default Domain Policy.”
- Right-click any customized policy under “Domain Controllers” node. (We recommend you to edit a customized group policy instead of editing Default Domain Controller Policy.) You may create a new GPO, link it to the domain, and edit it.
- “Group Policy Management Editor” window appears on the screen. In the left panel, navigate to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policy”.
- Select “Audit Policy” to list all of its sub-policies in the right panel.
- Double-click “Audit Account Management” to access its “Properties.”
- Click to select “Define these policy settings.”
- Select both” Success and Failure” checkboxes to audit successful and failed events.
- Click “Apply and OK.”
Step 2: View Logs in Event Viewer
Once Auditing is enabled, perform the following steps in Event Viewer to view the events:
- Open “Event Viewer”, and go to “Windows Logs” ➔ “Security”.
- Search for Event ID 4724 in Security Logs. This Event ID identifies account’s password changes attempted by an Administrator.
- Also, search for Event ID 4723. This Event ID identifies account’s password changes attempted by a user.
A better solution for auditing Active Directory – LepideAuditor
Want a quicker, more comfortable and straightforward means of determining when passwords are changed for user accounts? LepideAuditor for Active Directory can provide you with this level of in-depth visibility through real-time alerts and reports that help you overcome the limitations of native auditing. The screenshot given below shows the “Password Change Report.”
You can select an event and extract detailed information in a matter of clicks; including answers to critical information – object name, object path, email address, password last set, days since password set, etc.
It’s a piece of cake to install and configure LepideAuditor for Active Directory. After configuring, you can carefully monitor password changes and password resets, including users with soon to expire passwords, users with expired passwords, users whose passwords never expire, change passwords at next logons and recent logon failures.