Direct Inward Dialing: +1 408 916 9892
Active Directory (AD) verifies the authenticity of users with a matching combination of usernames and passwords, using information known only to AD and the user. If users forget their passwords, there's no way for them to access internal resources unless sufficient information (e.g., old passwords, security questions) is provided to the system—that is, unless a password self-service solution is in place.
A system administrator can reset a user's account password with the click of a button, even without the old password. This is defined as a critical event, and it needs to be monitored constantly in order to thwart attackers that try to gain domain-level administrator account access.
Windows records all password reset attempts as event ID 4724 in its security log. Learn more about event ID 4724, including how ADAudit Plus can help monitor this and other potential malicious activity attempts.
The following steps help you discover who reset the password for a user account in Active Directory using native tools.
Go to Windows Event Viewer → Windows Logs → Security
Under Actions in the right pane, select Filter Current Log... and switch to the XML tab. Check the Edit query manually box and click Yes.
Figure 1. Filter security log using a custom query
Figure 2. Edit the custom query manually
This allows you to enter a custom manual query.
<Query Id="0" Path="Security">
*[System[(EventID=4724)]] and *[EventData[(Data[@Name='TargetUserName'] ='NAME_OF_THE_USER_WHO'S_PASSWORD_WAS_RESET)]]
Figure 3. Event id 4724 - an attempt was made to reset an account's password
As seen above, the Account Name corresponds to the user that made the password reset.
If you have multiple domain controllers (DCs) in your environment, you need to look at every single DC's security logs to ensure that you don't miss out on anything, as the details displayed in the event viewer are not replicated across DCs. Generating a snapshot that displays all actions performed by a particular account using native tools is complex and time-consuming. A better option is to view pre-defined reports and to export this information, or receive SMS or email notifications, which can be easily accomplished using ADAudit Plus.
See how ADAudit Plus can help you efficiently track user logon and logoffs as well as file server activities, audit AD users and groups, and more. Download a free, 30-day trial, or evaluate ADAudit Plus today with a free, online demo.