How to Track Who Reset Password of a User in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track Who Reset Password of a User in Active Directory

 

2. Step 1: Enable Auditing through GPMC

  1. Firstly, type “GPMC.MSC” in “Run” box or “Command Prompt” and then press “Enter” key. The “Group Policy Management” console opens up.
  2. Go to “Forest” ➔ “Domains” ➔ “www.domain.com” in left panel.
  3. Right-click “Default Domain Policy” or any customized domain wide policy. (We recommend you to create a new GPO, link it to the domain, and edit it).
  1. Select “Edit” in context menu to access “Group Policy Management Editor”.
  2. Navigate to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local Policies” ➔ “Audit policy”.
  1. Double-click “Audit account management” policy to access its properties.
  2. Click to select “Define these policy settings” option.
  3. Select both “Success” and “Failure” check boxes to enable audit policy for monitoring both successful and failed events.
  1. Click “Apply” and “Ok”.
  2. Close “Group Policy Management Editor” window.
  3. Right-click on the modified GPO in “Group Policy Management” console.
  4. Select “Group Policy Update” in context menu to update policy. You can alternatively run following command on “Command Prompt” to update policy:Gpupdate /force

3. Step 2: Check Logs in Event Viewer

Once auditing is enabled, perform the following tasks in “Event Viewer” to view changed events:

  1. Open “Event Viewer” ➔ “Windows Logs” ➔ “Security” logs.
  2. Search for event ID 4724 in “Security” logs. This ID identifies a user account whose password is reset.The following screenshot shows event ID 4724 for user account password reset:
  1. You can scroll down to view the details of the user account whose password was reset.