Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Why It Is Important
Malicious individuals who obtain administrative access to your Active Directory domain can breach the security of your network. Any changes to a user account password made by anyone other than the account owner or an IT administrator might be a sign of an Active Directory account hack. A malefactor who has stolen administrative credentials and used them to change a user account password has complete access to the account and can use it to read, copy and delete data in Active Directory. As a result, your organization can suffer system downtime, business disruptions or leaks of sensitive data.
Native Auditing
GPMC
New policy
1. Run GPMC.msc (url2open.com/gpmc) → create a new policy and assign it to the needed OU → Edit it → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit account management → Define → Success and Failure.
Default domain policy
2. Run GPMC.msc → open “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → Define:
- Maximum security log size to 4GB
- Retention method for security log to Overwrite events as needed
Event viewer
3. Open Event Viewer and search Security log for event ids:
- 628/4724 – password reset attempt by administrator
- 627/4723 – password change attempt by user
https://img.netwrix.com/landings/howtofriday/password_changes_1.png
4. Real Life Use Case
5. Credits
Originally posted at https://www.netwrix.com/how_to_detect_password_changes.html