Sunday, 16 November 2014

Event ID 4724 - An attempt was made to reset an account's password

Event ID 4724 will be logged in Domain Controller whenever we reset an user's password. In this article, I am going to explain about the Active Directory password reset audit Event ID 4724, how to enable or configure Event ID 4724 through Default Domain Controller Policy GPO and Auditpol.exe.

Summary:

Event ID 4724 sample Source

This sample 4724 event info logged while reset the user Smith's password. here, the Subject field indicates 'Who' reset the password and Target Account indicates which user account's password reset.
An attempt was made to reset an account's password.

Subject:
 Security ID:  TESTDOMAIN\Morgan
 Account Name:  Morgan
 Account Domain:  TESTDOMAIN
 Logon ID:  0xede9c

Target Account:
 Security ID:  TESTDOMAIN\Smith
 Account Name:  Smith
 Account Domain:  TESTDOMAIN
 

Enable Event 4724 through Group Policy

To enable event id 4724 in every Domain Controller, We need to configure audit policy settings in Default Domain Controllers Policy, or you can create new GPO and links it to Domain Controllers OU via GPMC console, or else you can configure the corresponding audit policy on Local Security Policy of each and every Domain Controller..

Follow the below steps to enable AD password reset audit event 4724 via Default Domain Controllers Policy.

    1. Press the key 'Window' + 'R'
    2. Type the command gpmc.msc, and click OK.
         Note: Skip the above steps by clicking Start -->Administrative Tools -->Group Policy Management.
    3. Expand the domain node and Domain Controllers OU,  right-click on the Default Domain Controllers Policy, then click Edit. - refer the below image.
Event ID 4724 - An attempt was made to reset an account's password

    4. Expand Computer Configuration node, go to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).
    5. Navigate to the right side pane, select the policy Audit account management, and set the success audit value.
Event ID 4724 - An attempt was made to reset an account's password

6. Update/Refresh GPO settings by running the command gpupdate/force.

Enable Password Reset Event 4724 via Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Active Directory Account user's password reset audit event (Event ID 4724) through User Account Management subcategory by using the following command
auditpol /set /subcategory:"User Account Management" /success:enable
Update/Refresh GPO settings by running the command gpupdate/force/


Disable/Stop Password Reset Event 4724

You can disable or stop Active Directory password reset audit event (Event ID 4724) by removing success audit in User Account Management subcategory by using the following command.
auditpol /set /subcategory:"User Account Management" /success:disable
You can also stop this event by removing the success setting from the Default Domain Controllers GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Audit Policy->Account Management

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment