How to Detect Password Changes in Active Directory
Native Auditing vs. Netwrix Auditor for Active Directory
- Run GPMC.msc (url2open.com/gpmc) → open "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
- Audit account management → Define → Success and Failure.
- Run GPMC.msc → open "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → Define:
- Maximum security log size to 1GB
- Retention method for security log to Overwrite events as needed
- Open Event viewer and search Security log for event id’s: 628/4724 – password reset attempt by administrator and 627/4723 – password change attempt by user.
- You can view user password changes by navigating to Netwrix Auditor → Reports → Active Directory Changes → Select "User Password Changes" report → Click "View".
- To view user password resets by domain administrators navigate to Netwrix Auditor → Reports → Active Directory Changes → Select "Password Resets by Administrator" report → Click "View".
Detect Password Changes and Password Resets in Active Directory to Avoid Data Leaks and System Downtime
Malicious individuals who obtain administrative access to your Active Directory domain can breach the security of your network. Therefore, any changes to a user account password made by anyone other than the account owner or an IT administrator might be a sign of an Active Directory account hack. A malefactor who has figured out how to change a password in Active Directory has complete access to the account and can read, copy and delete data, and even reset a user password in Active Directory. As a result, your organization can suffer system downtime or leaks of sensitive data.
The ability to monitor password changes, including every password reset in Active Directory, empowers IT pros to detect suspicious activity, troubleshoot issues and avoid system downtime. Netwrix Auditor for Active Directory provides predefined reports that show which accounts had password changes, enabling IT admins to keep those changes under close control. Moreover, the application provides details on each user password reset, so you can easily see who has reset a user password in Active Directory and when and where the change was made.