With Native AD Auditing
With ADAudit Plus
ADAudit Plus generates reports by processing information from the Event Viewer. To view the reports, open ADAudit Plus console and navigate to Reports > User Management > Password Never Expires Set Users report. This report lists the users that have their passwords set to never expire and more importantly, displays the users who initiated this change. Here, unlike in native AD auditing, the administrator does not have to go through several logs to find the events that indicate that this setting has been applied. . They also can find the user account which initiated the modification of the password settings. Here is a sample report:
Steps to Enable Audit Policy
Open Server Manager on your Windows server.
Under the Manage tab, click on Group Policy Management to open the Group Policy Management Console.
Navigate to Forest > Domain > Your Domain > Domain Controllers.
You can choose to either edit an existing group policy object or create a new one.
In the Group Policy Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
Expand the node and navigate to Audit Policy > Account Management > Audit User Account Management. Enable it for both 'Success' and 'Failure'.
Auditing 'Password never expires' event with native AD tools and techniques
Open Event Viewer to find the users who have 'Password never expires' set in their accounts.
Windows Event Viewer records all the changes to the objects in the directory for which auditing has been enabled. Every change is recorded as an event and is associated with a unique event ID.
To view the events, open Event Viewer and navigate to Windows Logs > Security. The pane in the center displays all the events that are being audited. Look for Event ID 4738 which indicates that a user account has changed.
This image shows the event log filtered for event ID 4738.
Click on 'Filter Current Log' on the right pane to filter the events by event IDs, time range and a few other parameters. After the events have been filtered by event ID 4738, you can click on the logs for more details regarding the change. The administrator can read through the details of each log to find users who have passwords set to never expire.
Native auditing becoming a little too much?
Simplify Active Directory auditing and reporting with ADAudit Plus.Get Your Free Trial Fully functional 30-day trial