How to Track Password Changes and Resets in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track Password Changes and Resets in Active Directory

2. Step 1: Configuring Group Policy Settings to Enable Auditing

1. Go to “Start Menu” ➔ “All Programs” ➔ “Administrative Tools” and double-click “Group Policy Management” to access its window.
2. You can also open “Run” dialog box from the start menu, type “GPMC.MSC” and click “OK” to access Group Policy Management console. 
3. In the left panel of Group Policy Management Console, go to “Forest” ➔ “Domains” ➔ “www.domain.com.”
4. Double-click “www.domain.com” and navigate to “Default Domain Policy.”
5. Right-click any customized policy under “Domain Controllers” node. (We recommend you to edit a customized group policy instead of editing Default Domain Controller Policy.) You may create a new GPO, link it to the domain, and edit it.
6. “Group Policy Management Editor” window appears on the screen. In the left panel, navigate to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policy”.
7. Select “Audit Policy” to list all of its sub-policies in the right panel.

1. Double-click “Audit Account Management” to access its “Properties.”

1. Click to select “Define these policy settings.”
2. Select both” Success and Failure” checkboxes to audit successful and failed events.
3. Click “Apply and OK.”

3. Step 2: View Logs in Event Viewer

Once Auditing is enabled, perform the following steps in Event Viewer to view the events:

1. Open “Event Viewer”, and go to “Windows Logs” ➔ “Security”.
2. Search for Event ID 4724 in Security Logs. This Event ID identifies the account’s password changes attempted by an Administrator.

1. Also, search for Event ID 4723. This Event ID identifies an account’s password changes attempted by a user.