Unable to correlate Password Reset Event with Logon Event via Logon ID
If I reset an AD Users password via the dsa.msc console I'm unable to correlate the Logon ID in the 4724 Password Reset Event with an associated 4624 Logon Event. The only events I can correlate with the Logon ID are 4634 Logoff and 4672 Special Logon.
Interestingly if I reset an AD Users password via ADSI Edit, the net user or the Powershell Set-ADAccountPassword command I can perfectly correlate the 4724 Event with an 4624 Event via the Logon ID.
This behavior can be reproduced on a domain controller installed/promoted from scratch. Tested with Server 2016 & 2022
Has anybody else experienced this behavior?
Thank you for asking this question on the **Microsoft Q&A Platform. **
You have not received answers or comments to your question because it may be ambiguous or confusing.
I recommend you visit How to write a quality question and verify that your question meets some of the recommendations.
Hope this helps,
Carlos Solís Salazar
NOTE: To answer you as quickly as possible, please mention me in your reply.
Sign in to comment