Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Get Quote

Active Directory (AD) verifies the authenticity of users with a matching combination of usernames and passwords, using information known only to AD and the user. If users forget their passwords, there's no way for them to access internal resources unless sufficient information (e.g., old passwords, security questions) is provided to the system—that is, unless a password self-service solution is in place.

A system administrator can reset a user's account password with the click of a button, even without the old password. This is defined as a critical event, and it needs to be monitored constantly in order to thwart attackers that try to gain domain-level administrator account access.

Windows records all password reset attempts as event ID 4724 in its security log. Learn more about event ID 4724, including how ADAudit Plus can help monitor this and other potential malicious activity attempts.

The following steps help you discover who reset the password for a user account in Active Directory using native tools.

Go to Windows Event Viewer → Windows Logs → Security

Under Actions in the right pane, select Filter Current Log... and switch to the XML tab. Check the Edit query manually box and click Yes.

Filter security log using a custom query

Figure 1. Filter security log using a custom query

Edit query manually

Figure 2. Edit the custom query manually

This allows you to enter a custom manual query.

<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4724)]] and *[EventData[(Data[@Name='TargetUserName'] ='NAME_OF_THE_USER_WHO'S_PASSWORD_WAS_RESET)]]
</Select>
</Query>
</QueryList>

Event id 4724 - an attempt was made to reset an account's password

Figure 3. Event id 4724 - an attempt was made to reset an account's password

As seen above, the Account Name corresponds to the user that made the password reset.

If you have multiple domain controllers (DCs) in your environment, you need to look at every single DC's security logs to ensure that you don't miss out on anything, as the details displayed in the event viewer are not replicated across DCs. Generating a snapshot that displays all actions performed by a particular account using native tools is complex and time-consuming. A better option is to view pre-defined reports and to export this information, or receive SMS or email notifications, which can be easily accomplished using ADAudit Plus.

See how ADAudit Plus can help you efficiently track user logon and logoffs as well as file server activities, audit AD users and groups, and more. Download a free, 30-day trial, or evaluate ADAudit Plus today with a free, online demo.

Active directory audit logon failure
ADAudit Plus is a web-based, real-time Active Directory change auditing tool that helps you,

To learn more about how ADAudit Plus can help you with all your Active Directory auditing needs,
please visit: https://www.manageengine.com/products/active-directory-audit

ADAudit Plus Trusted By