Password Change event viewer

Question

Hi,

I have changed the password of user account using ctrl+alt+del. After changing the password when I go to DC and check the event viewer ,I did not find the event related to this password change.

Is DC capture this kind of event ? can someone please let me know where can I find this event?

Answer 1

Yes, it can.

But you must enable some audit first on the DC's

Then, if you have multiple DC's, i suggest you to use the following command to know which DC has received the password change request
repadmin /showobjmeta mydomain.local "DN"

For example, a user that has a Distinguished Name: CN=MyUser,CN=Users,=MyDomain,DC=Local

The command will be:
repadmin /showobjmeta mydomain.local "CN=MyUser,CN=Users,=MyDomain,DC=Local"

This will list you all properties of the user account and you will be able to have the DC that made the password change.

Then, open the security log on this DC and look for the Event ID 4738 "User Account Management"

You should see a list of attributes and one of them will be "Password Last Set"

hth

Answer 2

Well, this information is set on each object (user or computer) in Active Directory.

The attribute name is "pwdLastSet"

Well... it's possible to use a powershell script to get the list of user you want and then use the repadmin command to retrieve the information.

hth

Answer 3

If you have a file with all sAMAccountName, you could use this PS to get this information.

This will read the file C:\Temp\List_Users.txt file and will create a create a txt file for each user under the C:\Temp\Extract_User_Info folder

foreach($line in Get-Content C:\Temp\List_Users.txt) {
$userdn = get-aduser -identity $line
repadmin /showobjmeta $Env:USERDNSDOMAIN "$userDN" | Out-File -FilePath C:\Temp\Extract_User_Info\$line.txt
Write-Host repadmin /showobjmeta $Env:USERDNSDOMAIN "$userDN"
}

hth