Direct Inward Dialing: +1 408 916 9892
Note: To enable the required auditing, please refer to Step 1 on the Native AD Auditing tab. After this you can follow the steps below to view the relevant events.
Select the Server Audit Tab and navigate to Local Account Management tab.
You can then navigate to the pre-configured report named Recently Password Changed.This gives you a report of password history. You can look for a specific user account to check when the password was last changed.
Customize the Period to the desired time range. You can also define a custom period and save for quick reference.
A detailed audit information report is generated for the selected period.
Clicking on an event in the bar graph, filters the report view highlighting only the selected event.
Advanced filter options help you locate the specific event that youre looking for.
Launch theServer Manager and open the Group Policy Management Console (GPMC).
In the left pane, expand theForest and Domains nodes to reveal the specified domain you want to track the changes for.
Expand the domain and right-click Default Domain Policy. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.
Click on Edit of the desired group policy, to open up the Group Policy Management Editor.
Expand Computer Configuration-->Policies-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies.
Enable success and failure options for Audit account management. You can also allow for more granular auditing. Select the Advanced Audit Policy--> Audit Policy-->Account Management-->Audit User Account Management. Exit Group Policy Management Editor.
Run GPMC.msc.
Open Default Domain Policy -->Computer Configuration-->Policies-->Windows Settings-->Security Settings-->Event Log.
Change the Policy Settings of Maximum security log size policy to 1GB (1000000 kilobytes).
Change the policy settings of the Retention method for security log to Overwrite events as needed.
To view the password changes you need to filter the log to look for the following event.
Event ID 4723 describes an attempt made by a user to change the password.
The event details give you the entire password change history of the user. From here you can check when the last password change was made.
Does native auditing become a little too much?
Simplify local account management auditing and reporting with ADAudit Plus.
Get Your Free Trial Fully functional 30-day trialActive Directory Auditing just got easier!
ADAudit Plus comes bundled with more than 300 predefined reports that makes your AD auditing easier. The solution also sends real-time alerts for critical events and thereby help you to secure your network from threats and boost your IT security posture.
Download ADAudit Plus
