Tracking password changes and resets in Active Directory is important for security and compliance reasons. Here are the steps to track password changes and resets in Active Directory:
- Enable the Audit Account Management policy in the Group Policy Object (GPO) for the domain. This can be done in the Group Policy Management Console (GPMC) by editing the Default Domain Policy GPO or by creating a new GPO.
- Configure the audit settings for the “Audit account management” policy to include “Success” and/or “Failure” auditing for the following events:
- “User Account Management” (to track password resets)
- “Computer Account Management” (to track computer account password changes)
- After enabling and configuring the audit policy, the events will be logged in the Security event log of the domain controller where the password change/reset was processed.
- To view the password change/reset events, open the Event Viewer on the domain controller, and navigate to the Security event log. Filter the log by Event ID 4723 (for password changes) or Event ID 4724 (for password resets).
- To simplify the process of reviewing the Security event logs for password changes and resets, you can use a third-party tool or a script that collects and consolidates the relevant event information from multiple domain controllers into a single report.
By tracking password changes and resets, you can identify unauthorized changes to user passwords and take appropriate action to remediate security incidents. Additionally, tracking password changes and resets can help you demonstrate compliance with security regulations and industry standards.