How to Track Who Reset Password of a User in Active Directory
Authored by: Support.com Tech Pro Team
1. Introduction
How to Track Who Reset Password of a User in Active Directory
2. Step 1: Enable Auditing through GPMC
Firstly, type “GPMC.MSC†in “Run†box or “Command Prompt†and then press “Enter†key. The “Group Policy Management†console opens up.
Go to “Forest†➔ “Domains†➔ “www.domain.com†in left panel.
Right-click “Default Domain Policy†or any customized domain wide policy. (We recommend you to create a new GPO, link it to the domain, and edit it).
Select “Edit†in context menu to access “Group Policy Management Editorâ€.
Double-click “Audit account management†policy to access its properties.
Click to select “Define these policy settings†option.
Select both “Success†and “Failure†check boxes to enable audit policy for monitoring both successful and failed events.
Click “Apply†and “Okâ€.
Close “Group Policy Management Editor†window.
Right-click on the modified GPO in “Group Policy Management†console.
Select “Group Policy Update†in context menu to update policy. You can alternatively run following command on “Command Prompt†to update policy:Gpupdate /force
3. Step 2: Check Logs in Event Viewer
Once auditing is enabled, perform the following tasks in “Event Viewer†to view changed events:
Open “Event Viewer†➔ “Windows Logs†➔ “Security†logs.
Search for event ID 4724 in “Security†logs. This ID identifies a user account whose password is reset.The following screenshot shows event ID 4724 for user account password reset:
You can scroll down to view the details of the user account whose password was reset.