Unable to correlate Password Reset Event with Logon Event via Logon ID

TheGrea 11 Reputation points
2022-07-19T15:29:36.237+00:00

Hi Community,

If I reset an AD Users password via the dsa.msc console I'm unable to correlate the Logon ID in the 4724 Password Reset Event with an associated 4624 Logon Event. The only events I can correlate with the Logon ID are 4634 Logoff and 4672 Special Logon.

Interestingly if I reset an AD Users password via ADSI Edit, the net user or the Powershell Set-ADAccountPassword command I can perfectly correlate the 4724 Event with an 4624 Event via the Logon ID.

This behavior can be reproduced on a domain controller installed/promoted from scratch. Tested with Server 2016 & 2022

Has anybody else experienced this behavior?

Best regards

Alex

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,746 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,575 questions
{count} votes