To track who reset the password of a user in Active Directory, you can use the following steps:
- Enable Audit Account Management: First, you need to enable auditing of account management events in your Active Directory environment. This can be done by modifying the Group Policy Object (GPO) settings for your domain controllers. Specifically, you need to enable the “Audit Account Management” policy setting, which is located under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
- Collect Security Event Logs: After enabling the Audit Account Management policy setting, you need to collect the relevant security event logs from your domain controllers. These logs contain information about all account management events that occur on the domain controllers, including password resets.
- Filter Logs: Once you have collected the security event logs, you need to filter them to identify events related to password resets for the user in question. This can be done using tools like PowerShell or third-party log analysis software.
- Analyze logs: Finally, you need to analyze the filtered logs to identify the user account that initiated the password reset. This information can be found in the “Subject” field of the event log entry. You may need to correlate this with other log entries to identify the user account responsible for the password reset.
Overall, tracking who reset the password of a user in Active Directory involves a combination of enabling auditing, collecting logs, filtering logs, and analyzing the resulting data. By following these steps, you can identify potential security threats or policy violations, as well as track changes made by specific users or groups.