question

JeffreyHyson-5587 avatar image
0 Votes"
JeffreyHyson-5587 asked DaisyZhou-MSFT commented

Event Id 4724 - where to find Access Denied attempts for SetPassword?

The documentation page for Event Id 4724 explicitly states

A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724

Where is the "Access Denied" audit record written? If there is a bad actor attempting to reset a password where is the auditing for this password reset attempt?


PowerShell Code

The following PowerShell code can be used to generate a successful password reset and a failed password reset (Access Denied)

 $domain       = "SUPPORT01.com"
 $privUsername = "PrivAccount01"
 $privPassword = "PasswordForPrivAccount123"
 $userAccount  = "NonPrivAccount01"
 $newPassword  = "aNewPassword123"

 $path          = "LDAP://$domain"
 $searchAccount = "(sAMAccountName=$userAccount)"

 $Root   = New-Object System.DirectoryServices.DirectoryEntry $path, $privUsername, $privPassword
 $Search = New-Object System.DirectoryServices.DirectorySearcher $Root, $searchAccount
 $Match  = $Search.FindOne()
 $Entry  = $Match.GetDirectoryEntry()
 $Entry.UsePropertyCache = $true
 $passwordObject = @($newPassword)
 $Entry.Invoke("SetPassword", $passwordObject)

Notes:
Fill in valid information for the following items in the above code
$domain = your organization's domain, i.e. SUPPORT01.com
$privUsername = a domain admin account in the SUPPORT01.com domain
$PrivPassword = the password for the above domain admin account
$userAccount = a user account in SUPPORT01.com which we plan to set a new password value
$newPassword = the new password for the above user account


Successful Execution

When "Audit account management" is enabled a successful "SetPassword" generates Event Ids 4738 and 4724
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724



Contents of 4738

 A user account was changed.
    
 Subject:
   Security ID: SUPPORT01\PrivAccount01
   Account Name: PrivAccount01
   Account Domain: SUPPORT01
   Logon ID: 0xD49EEA3
    
 Target Account:
   Security ID: SUPPORT01\NonPrivAccount01
   Account Name: NonPrivAccount01
   Account Domain: SUPPORT01
    
 Changed Attributes:
   SAM Account Name: -
   Display Name: -
   User Principal Name: -
   Home Directory: -
   Home Drive: -
   Script Path: -
   Profile Path: -
   User Workstations: -
   Password Last Set: 6/10/2021 12:29:58 PM
   Account Expires: -
   Primary Group ID: -
   AllowedToDelegateTo: -
   Old UAC Value: -
   New UAC Value: -
   User Account Control: -
   User Parameters: -
   SID History: -
   Logon Hours: -
    
 Additional Information:
   Privileges: -

Contents of 4724

 An attempt was made to reset an account's password.
    
 Subject:
   Security ID: SUPPORT01\PrivAccount01
   Account Name: PrivAccount01
   Account Domain: SUPPORT01
   Logon ID: 0xD49EEA3
    
 Target Account:
   Security ID: SUPPORT01\NonPrivAccount01
   Account Name: NonPrivAccount01
   Account Domain: SUPPORT01

Failed Execution (Access Denied)

To obtain a bad result "Access Denied" change the $privUsername & $privPassword to a non domain admin user account, i.e. $privUsername = "NonPrivAccount02"

 Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
 Line:16 char:1
 + $Entry.Invoke("SetPassword", $passwordObject)
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
     + FullyQualifiedErrorId : DotNetMethodTargetInvocation

There is no record written to the Event log for the "Access Denied"


windows-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JeffreyHyson-5587,
I'm just following up to make sure you received my last reply and that my answers properly address your questions. If you have any further questions or concerns about this post, please let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @JeffreyHyson-5587,

Thank you for posting here.

Here are my tests in my lab.

Test 1
Domain Administrator resets yu1's password unsuccessfully.

104581-au1.png

104591-au2.png

Test 2
Domain Administrator resets yu1's password successfully.
104516-au3.png

104543-au4.png

Test 3
One normal domain user (t3) resets one domain user's password (u2's password) with error message "Access is denied".
104467-au5.png

104510-au6.png


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Tip: I am not an expert on PS, so I tested via GUI above.



Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.




au1.png (43.6 KiB)
au2.png (43.3 KiB)
au3.png (46.5 KiB)
au4.png (53.2 KiB)
au5.png (53.9 KiB)
au6.png (52.7 KiB)
au1.png (43.6 KiB)
au2.png (43.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffreyHyson-5587 avatar image
0 Votes"
JeffreyHyson-5587 answered

Hi @DaisyZhou-MSFT:

Unfortunately the DirectoryServices library used in the script does not generate the Audit Failure 4724 event ID. I imagine the GUI does not use the DirectoryServices library to Reset a password.

Tip: I am not an expert on PS, so I tested via GUI above.

I have modified the PowerShell code to use your environment domain "B" along with accounts "Administrator", "t3" & "yu1", you will need to edit it to use the correct passwords on lines 4 & 7.

Please test with the script (not the GUI) as this is the proper use case.

Jeff


 $domain          = "B"
    
 $privUsername    = "Administrator"
 $privPassword    = "PasswordForPrivAccount123"
    
 $nonprivUsername = "t3"
 $nonprivPassword = "PasswordForNonprivAccount123"
    
 $targetAccount   = "yu1"
 $newPassword     = "aNewPassword123"
    
 $path          = "LDAP://$domain"
 $searchAccount = "(sAMAccountName=$targetAccount)"
    
 # Run for priv account
 Write-Output "S: Priv Account"
 $Root   = New-Object System.DirectoryServices.DirectoryEntry $path, $privUsername, $privPassword
 $Search = New-Object System.DirectoryServices.DirectorySearcher $Root, $searchAccount
 $Match  = $Search.FindOne()
 $Entry  = $Match.GetDirectoryEntry()
 $Entry.UsePropertyCache = $true
 $passwordObject = @($newPassword)
 $Entry.Invoke("SetPassword", $passwordObject)
 Write-Output "E: Priv Account"
    
 # Run for nonpriv account
 Write-Output "S: NonPriv Account"
 $Root   = New-Object System.DirectoryServices.DirectoryEntry $path, $nonprivUsername, $nonprivPassword
 $Search = New-Object System.DirectoryServices.DirectorySearcher $Root, $searchAccount
 $Match  = $Search.FindOne()
 $Entry  = $Match.GetDirectoryEntry()
 $Entry.UsePropertyCache = $true
 $passwordObject = @($newPassword)
 $Entry.Invoke("SetPassword", $passwordObject)
 Write-Output "E: NonPriv Account"



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @JeffreyHyson-5587,

Thank you for your update.

I have tested your PS code, I got the same result as you. I can not see the corresponding event ID.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffreyHyson-5587 avatar image
0 Votes"
JeffreyHyson-5587 answered

Hello @DaisyZhou-MSFT

As a Microsoft employee what is the next step to get this bug fixed?

Jeff

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @JeffreyHyson-5587,

Thank you for your update.

If you want to troubleshoot the issue further, I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.

The following web site for more detail of Professional Support Options and incident submission methods is for your reference:

https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

Thank you for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffreyHyson-5587 avatar image
0 Votes"
JeffreyHyson-5587 answered

Hi @DaisyZhou-MSFT

I have no problem opening a service request to report this bug but to do this requires me to have a paid subscription. Isn't there another option to get this bug reported/fixed?

Jeff

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @JeffreyHyson-5587,

I am so glad to receive your reply.

You can feedback the question in the following link. Because the article mentioned "A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure".

4724(S, F): An attempt was made to reset an account's password.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724

Please scroll to the bottom of the page, and then you can see the feedback area.
106393-feed.png


Thank you so much for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



feed.png (11.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeffreyHyson-5587 avatar image
0 Votes"
JeffreyHyson-5587 answered DaisyZhou-MSFT commented

Hi @DaisyZhou-MSFT

Is there no one from the Active Directory product team on this forum that can directly file the defect/bug? The feedback page you suggested is to improve the documentation page not file a defect.

Jeff

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @JeffreyHyson-5587,

Thank you for your update.

Is there no one from the Active Directory product team on this forum that can directly file the defect/bug?
A: No, there is no way currently.

The feedback page you suggested is to improve the documentation page not file a defect.
A: In the documentation page, it says"A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.", but via GUI I mentioned above, a Failure event does generate if user gets “Access Denied” while doing the password reset procedure. You can feedback it in documentation page.

Thank you so much for your understanding and support.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·