How to Track Password Changes and Resets in Active Directory

Download Lepide Active Directory Auditor
x
Or Deploy With Our Virtual Appliance
In This Article

Not knowing who can read, change, delete or modify passwords is a blind spot within your Active Directory security that many organizations simply ignore. As the rights to access, handle and share critical business are delegated through the Active Directory network; hackers view it as the ultimate prize, and will make many attempts to subvert your security by attempting to guess passwords.

When your Active Directory accounts are accessed by anyone other than the designated IT administrator or account owner, it’s entirely possible that your accounts have been hacked. To defend against this, IT administrators must regularly monitor their user account passwords. Collecting information, such as when was the last password set for an account, the password’s expiration date, and other logs, save an organization from devastating events of data leakage.

In this article, we will discuss the steps required to detect password changes and resets in Active Directory. We’ll go through two methods, first, the native way using event logs, and then we’ll show you how much easier the process is using Lepide Active Directory auditing.

Audit Password Changes and Resets with Native Auditing

Auditing password changes and resets in Active Directory natively requires two main steps: configuring group policy settings to enable auditing, and then finding the corresponding Event ID in Windows Event Viewer. We go through the steps in more detail here:

Step 1: Configuring Group Policy Settings to Enable Auditing

  1. Go to “Start Menu” ➔ “All Programs” ➔ “Administrative Tools” and double-click “Group Policy Management” to access its window.

    NOTE: You can also open “Run” dialog box from the start menu, type “GPMC.MSC” and click “OK” to access Group Policy Management console.

  2. In the left panel of Group Policy Management Console, go to “Forest” ➔ “Domains” ➔ “www.domain.com.”
  3. Double-click “www.domain.com” and navigate to “Default Domain Policy.”
  4. Right-click any customized policy under “Domain Controllers” node. (We recommend you edit a customized group policy instead of editing Default Domain Controller Policy.) You may create a new GPO, link it to the domain, and edit it.
  5. “Group Policy Management Editor” window appears on the screen. In the left panel, navigate to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policy”.
  6. Select “Audit Policy” to list all of its sub-policies in the right panel.
    Figure 1: Audit Policy Settings
  7. Double-click “Audit Account Management” to access its “Properties.”
    Figure 2: Audit Account Management Properties
  8. Click to select “Define these policy settings.”
  9. Select both” Success and Failure” checkboxes to audit successful and failed events.
  10. Click “Apply and OK.”

Step 2: View Logs in Event Viewer

Once Auditing is enabled, perform the following steps in Event Viewer to view the events:

  1. Open “Event Viewer”, and go to “Windows Logs” ➔ “Security”.
  2. Search for Event ID 4724 in Security Logs. This Event ID identifies the account’s password changes attempted by an Administrator.
    Figure 3: Event Details for Password Reset by Administrator
  3. Also, search for Event ID 4723. This Event ID identifies the account’s password changes attempted by a user.
    Figure 4: Event Details for Change in an Account’s Password by a User

How Lepide Active Directory Auditor Tracks Password Changes and Resets

As you can see from the above, tracking password changes and resets using the Event Viewer is a bit of a pain. In general, event logs are noisy – and administrators can spend hours trawling through false positives or irrelevant information to find what they are looking for. Event logs also lack critical context.

Want a quicker, more comfortable, and straightforward means of determining when passwords are changed for user accounts? Lepide Active Directory Auditor can provide you with this level of in-depth visibility through real-time alerts and reports that help you overcome the limitations of native auditing. The screenshot given below shows the “Password Change Report.”

Figure 5: Password Change Report

You can select an event and extract detailed information in a matter of clicks; including answers to critical information – object name, object path, email address, password last set, days since password set, etc.

Conclusion

Installing and configuring Lepide Active Directory Auditor is easy. After configuring, you can carefully monitor password changes and password resets in real-time, including users with soon-to-expire passwords, users with already expired passwords, users whose passwords never expire, accounts with passwords due to be changed at next logon and recent logon failures.

To see how easy the solution is for yourself, start your free trial by filling in the form below:

Download Lepide Active Directory Auditor

x
Or Deploy With Our Virtual Appliance