What happens if a hacker cracks your Active Directory account password and takes control of network resources? What kind of financial damage can they inflict on your organization if they are that way inclined? Any attempt to change a user’s password made by someone other than the account owner should raise red flags, as it could be a sign of an ongoing attack.
Preventing fraudulent access to a user account is a fundamental part of IT security, as such activities could lead inappropriate disclosure of potentially sensitive data to undesirable parties, or even destruction of confidential data. With many organizations boasting a large user database, it’s crucial to monitor and track object modifications in Active Directory on a regular basis.
Now the question is; “How do I keep track of these password resets and keep up to date with such changes being made in Active Directory?”
In this article, I will guide you through the steps towards tracking password resets using both the native auditing method and our advanced auditing solution, LepideAuditor.
Step 1: Group Policy Changes
- Firstly, type “GPMC.MSC” in “Run” box or “Command Prompt” and then press “Enter” key. The “Group Policy Management” console opens up.
- Go to “Forest” ➔ “Domains” ➔ “www.domain.com” in left panel.
- Right-click “Default Domain Policy” or any customized domain wide policy. (We recommend you to create a new GPO, link it to the domain, and edit it).
- Select “Edit” in context menu to access “Group Policy Management Editor”.
- Navigate to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policies” ➔ “Audit policy”.
- Double-click “Audit account management” policy to access its properties.
- Click to select “Define these policy settings” option.
- Select both “Success” and “Failure” check boxes to enable audit policy for monitoring both successful and failed events.
- Click “Apply” and “Ok”.
- Close “Group Policy Management Editor” window.
- Right-click on the modified GPO in “Group Policy Management” console.
- Select “Group Policy Update” in context menu to update policy. You can alternatively run following command on “Command Prompt” to update policy:
Step 2: View Logs in Event Viewer
Once auditing is enabled, perform following tasks in “Event Viewer” to view changed events:
- Open “Event Viewer” ➔ “Windows Logs” ➔ “Security” logs.
- Search for event ID 4724 in “Security” logs. This ID identifies a user account whose password is reset.
The following screenshot shows event ID 4724 for user account password reset:
You can scroll down to view the details of the user account whose password was reset.
There’s a Better Way – LepideAuditor for Active Directory
Lepide’s Active Directory Auditing solution overcomes the limitations of native auditing and provides more features specifically geared towards helping you audit your entire IT infrastructure with just a click. The screenshot given below shows the “User password reset” report. Simply select an event to extract indepth information, including answers to the critical who, what, where and when questions, which enables you to spot suspicious activities.
By now, you should have gained a pretty solid understanding of how to track user password resets in Active Directory. You have seen that the native auditing method is quite noisy, producing an unmanageable number of logs and making it difficult for IT admins to extract meaning from them. LepideAuditor, on the other hand, ensures that you are armed and ready to handle any issues that could be a potential threat to IT security. This automated solution is an ideal fit for any organization thanks to it’s scalability and affordability. It enables you to easily detect and roll-back changes without having to rely on native auditing tools. Put your feet up and let LepideAuditor get to work.