How to audit password changes in AD
(Last updated on November 4, 2020)
Windows Server provides native tools for changing user passwords and auditing password changes in AD. However, they are somewhat lacking. Third-party tools such as Specops uReset can make the process easier and more secure.
There are two main ways that administrators can reset passwords using the native administrative tools that are included with Windows Server. One method involves using ADUC.
To reset a user’s password using ADUC, simply right-click on the user account, and then select the Reset Password command from the shortcut menu. This will cause Windows to display the Reset Password dialog box, which you can see below.
As you can see in the figure, this method allows the administrator to provide and confirm a new password. The dialog box also contains an option to force the user to change their password the next time that they log in. The administrator can also unlock the user’s account from this dialog box if necessary.
The second native option for resetting a user’s password is to use PowerShell. To do so, an administrator will need to open an elevated PowerShell session, and use the Set-ADAccountPassword cmdlet in conjunction with the Identity and NewPassword parameters. Suppose for instance that an administrator needed to reset the password for a user named User2. Here is what the command used for doing so might look like:
Set-ADAccountPassword -Identity User2 -NewPassword (ConvertTo-SecureString -AsPlainText “P@ssw0rd” -Force)
Notice that this method involves a bit more than just supplying the username and the new password. The password must be converted to a secure string before it can be used. The below image shows what the command looks like when used.
If an administrator needs to audit the password reset process using native tools, then the best option is to use the Windows Security log (Windows Event ID 4724). You can see what a password change log entry looks below. Notice in the figure that the Task Category is simply listed as User Account Management, not password reset. The only way to tell that this was a password reset operation is to look at the event description, shown in the lower portion of the interface. This is also where you find the user’s name, and the name of the user who performed the password reset. The Audit Success keywords indicate that the password was reset successfully.
Audit password changes in AD using third-party tools
Specops uReset allows users to perform self service password resets, so at least in theory, users should never have to contact the helpdesk for assistance. If a user does need to contact the helpdesk however, then the technician will use the Service Desk interface to complete the password reset process.
The first step in this process is for the technician to enter the user’s name or username into the interface. Upon doing so, the Service Desk console will identify the user’s AD account.
One of the major differences between the native password reset methods, and the Specops method, is that the native method allows a helpdesk technician to reset passwords at will. In contrast, Specops can be configured to force the helpdesk technician to verify the user’s identity prior to allowing them to reset the password. Identify verification can also be required prior to unlocking the user’s account.
The helpdesk technician can verify the user’s identity by using the same authentication methods from the user’s enrollment. For example, the helpdesk technician can verify the user’s identity by sending a code to the user’s registered mobile device via SMS text message.
Once the technician has verified the user’s identity, resetting the user’s password is a simple process. The technician must simply click on the Reset tab, and then either enter a password manually, or click on the Generate button to automatically generate a new password.
Specops uReset makes it easy to audit password changes in AD. The administrative interface includes a reporting menu which provides access to statistical data, reports related to system events, and auditing information. The Auditing tab provides access to all of the actions performed through uReset. Administrators can even filter this information by resource or date.