Phone Get Quote
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892


How to track password resets and changes in Active Directory

Passwords are still the most common form of authenticating users on a network. So it remains one of the main entry routes for a hacker to infiltrate your systems. This is why IT admins must track the history of user passwords. You can retrieve password information on password resets, last time a password was changed, password expiration date.

The steps below show you how to track changes made to a user's password with native AD. Alternatively, you can use a simpler solution in the form of ADAudit Plus. Here you can find pre-configured reports on account activity with an intuitive graphic interface and analysis charts.

Download for FREE
Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • How to track password changes with ADAudit Plus
  • In the ADAudit Plus console, you can find password related reports under 'Reports'----> 'User Management'. You can access the 'Recently Password Changed Users' and 'Recently Password Set Users' to view password change or reset attempts.

  • Advanced search functionality offers you multiple filter attributes to look for a specific event.

  • Easily export your reports in CSV,HTML,PDF and XSL formats.

  • Correlate between other user management and computer management reports to spot anomalous behavior on the network.

  • Track password changes and resets
  • Step 1: Enable Group Policy Auditing
  • Launch the 'Server Manager' and open the Group Policy Management Console (GPMC).

  • In the left pane, expand the 'Forest' and 'Domains' nodes to reveal the specific domain you want to track the changes for.

  • Expand the domain and right click 'Default Domain Policy'. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.

  • Click on 'Edit' of the desired group policy, to open up the Group Policy Management Editor.

  • Expand 'Computer Configuration'--->Policies---->Windows Settings----->Security Settings----->Local Policies------->Audit Policies.

  • Enable 'success' and 'failure' options for 'Audit account management' properties. Exit Group Policy Management Editor.

  • In the GPMC choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'everyone' in the text box and click 'Check Names' to include the value. Exit the GPMC.

  • To enforce these changes throughout the domain run the command 'gupdate /force', in the "Run" console.

  • Step 2: Allow AD Auditing through ADSI Edit
  • From your Server Manager go to Tools and select ADSI Edit.

  • Right click ADSI Edit node from the left pane and select Connect to option. This pulls up the Connection Settings window.

  • Select the Default Naming Context option from the Select a well-known Naming Context drop down list.

  • Click Okay and return to the ADSI Edit window. Expand Default Naming Context and select the associated 'DC' subnode. Right click this subnode and click 'Properties'.

  • In the Properties window, go to the Security tab and select Advanced. After that select Auditing tab and click Add.

  • Click on Select a principle. This will bring up a Select User, Computer or Group Window. Type 'Everyone' in the textbox and verify it with Check Names.

  • The principle in the Auditing Entry window now shows 'Everyone'. In the 'Type' drop-down select All to audit for both 'success' and 'failure' events.

  • In the Select drop-down choose This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select Full Control in the 'Permissions' section.

  • This selects all the checkboxes available. Unselect the following check boxes:

    1. Full Control

    2. List Contents

    3. Read all properties

    4. Read permissions

  • Step 3: View events in Event Viewer
  • Open the Event Viewer and access the 'Security Logs' from 'Windows Logs'.

  • EventID 4724 describes any attempts made to reset the password of an account.

  • EventID 4723 describes any attempts by a user to change their password.

Does native auditing become a little too much?

Simplify password change auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Request 1-on-1 demo

  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.


One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By