Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect user password changes
in Active Directory

Start your free trial

Although it is good to mandate that your employees change their passwords regularly, this activity must be supervised. Unmonitored password changes or resets by a rogue insider could lead to a serious security breach. Administrators need to keep an eye on password changes and resets to ensure they're authorized and to keep their Active Directory (AD) environment secure. In this documentation, you'll learn about how to audit password change activities in AD.

Steps to enable auditing using the Group Policy Management Console (GPMC):

Perform the following actions on the domain controller (DC):

  1. Press Start, then search for and open the Group Policy Management Console, or run the command gpmc.msc.
How to monitor computer activity in Active Directory
  1. Right-click the domain or organizational unit (OU) that you want to audit, and click Create a GPO in this domain, and Link it here. If you have already created a Group Policy Object (GPO), go to step 4.
How to monitor computer activity in Active Directory
  1. Name the GPO.
  2. Right-click the GPO and choose Edit.
How to monitor computer activity in Active Directory
  1. In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management.
How to monitor computer activity in Active Directory
  1. In the right pane, double-click Audit User Account Management and check the boxes next to Configure the following audit events:, Success, and Failure.
How to monitor computer activity in Active Directory
  1. Click Apply, then OK.
  2. Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
How to monitor computer activity in Active Directory

Steps to view these events using the Event Viewer:

Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

  1. Press Start, search for Event Viewer, and click it to open it.
  2. In the left pane of the Event Viewer window, navigate to Windows Logs → Security.
  3. Here, you will find a list of all the security events that are logged into the system.
How to monitor computer activity in Active Directory
  1. Under Security in the right pane, click Filter Current Log.
How to monitor computer activity in Active Directory
  1. In the pop-up window, enter the desired Event ID* in the field labeled <All Event IDs>.
*The following Event IDs are logged when the respective event occurs:
4723 - When a user attempts to change their password.
4724 - When an admin attempts to reset the password for another user.
  1. Click OK. This will provide a list of occurrences of the entered Event ID.
  2. Double-click the Event ID to view its properties (description).
How to monitor computer activity in Active Directory

Auditing the password changes through the above manual method becomes tedious, as every organization deals with hundreds to thousands of user accounts.

ADAudit Plus, a comprehensive AD auditing tool, enables admins to effortlessly audit password changes and other Active Directory changes.

Steps to detect user password changes using ManageEngine ADAudit Plus

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your domain controller here.
  3. Open the ADAUdit Plus web console, and log in as an administrator.
  4. Navigate to Reports → User Management → Recently Password Changed Users.
1
 

View recent password changes and scrutinize the activities of users who frequently change their passwords.

2
 

A high number of failed password changes could indicate a brute-force attack

How to monitor computer activity in Active Directory

View recent password changes and scrutinize the activities of users who frequently change their passwords.
A high number of failed password changes could indicate a brute-force attack

To view reports for password changes categorized by users, navigate to Reports → User Management → User Based Password Changes.

1
 

Analyze both successful and failed attempts to change passwords

How to monitor computer activity in Active Directory

Analyze both successful and failed attempts to change passwords

  1. Navigate to Reports → User Management → Recently Password Set Users.
1
 

See recent password changes and find which users most frequently reset passwords.

2
 

View who changed the password, for whom, and if the action was successful or not.

How to monitor computer activity in Active Directory

See recent password changes and find which users most frequently reset passwords.
View who changed the password, for whom, and if the action was successful or not.

To view reports for password resets categorized by users, navigate to Reports → User Management → User Based Password Reset.

1
 

Analyze which user account was most frequently reset in a given time period

How to monitor computer activity in Active Directory

Analyze which user account was most frequently reset in a given time period

Advantages of using ADAudit Plus over native auditing:

  • View reports for password changes and resets that show you the exact date and time of the action, who performed the reset, and more.
  • Detect, track down the source of, and resolve AD account lockouts faster with ADAudit Plus' account lockout analyzer.
  • Satisfy regulations such as SOX, HIPAA, GLBA, PCI DSS, FISMA, and the GDPR with ADAudit Plus' reports.
 

ADAudit Plus Trusted By