Active Directory: How to Detect Password Changes
Why It Is Important
Malicious individuals who obtain administrative access to your Active Directory domain can breach the security of your network. Any changes to a user account password made by anyone other than the account owner or an IT administrator might be a sign of an Active Directory account hack. A malefactor who has stolen administrative credentials and used them to change a user account password has complete access to the account and can use it to read, copy and delete data in Active Directory. As a result, your organization can suffer system downtime, business disruptions or leaks of sensitive data.
Native Auditing
GPMC
New policy
1. Run GPMC.msc (url2open.com/gpmc) → create a new policy and assign it to the needed OU → Edit it → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit account management → Define → Success and Failure.
Default domain policy
2. Run GPMC.msc → open “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → Define:
- Maximum security log size to 4GB
- Retention method for security log to Overwrite events as needed
Event viewer
3. Open Event Viewer and search Security log for event ids:
- 628/4724 – password reset attempt by administrator
- 627/4723 – password change attempt by user
https://img.netwrix.com/landings/howtofriday/password_changes_1.png
4. Real Life Use Case
5. Credits
Originally posted at https://www.netwrix.com/how_to_detect_password_changes.html