The documentation page for Event Id 4724 explicitly states
A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
Where is the "Access Denied" audit record written? If there is a bad actor attempting to reset a password where is the auditing for this password reset attempt?
PowerShell Code
The following PowerShell code can be used to generate a successful password reset and a failed password reset (Access Denied)
$domain = "SUPPORT01.com"
$privUsername = "PrivAccount01"
$privPassword = "PasswordForPrivAccount123"
$userAccount = "NonPrivAccount01"
$newPassword = "aNewPassword123"
$path = "LDAP://$domain"
$searchAccount = "(sAMAccountName=$userAccount)"
$Root = New-Object System.DirectoryServices.DirectoryEntry $path, $privUsername, $privPassword
$Search = New-Object System.DirectoryServices.DirectorySearcher $Root, $searchAccount
$Match = $Search.FindOne()
$Entry = $Match.GetDirectoryEntry()
$Entry.UsePropertyCache = $true
$passwordObject = @($newPassword)
$Entry.Invoke("SetPassword", $passwordObject)
Notes:
Fill in valid information for the following items in the above code
$domain = your organization's domain, i.e. SUPPORT01.com
$privUsername = a domain admin account in the SUPPORT01.com domain
$PrivPassword = the password for the above domain admin account
$userAccount = a user account in SUPPORT01.com which we plan to set a new password value
$newPassword = the new password for the above user account
Successful Execution
When "Audit account management" is enabled a successful "SetPassword" generates Event Ids 4738 and 4724
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-account-management
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724
Contents of 4738
A user account was changed.
Subject:
Security ID: SUPPORT01\PrivAccount01
Account Name: PrivAccount01
Account Domain: SUPPORT01
Logon ID: 0xD49EEA3
Target Account:
Security ID: SUPPORT01\NonPrivAccount01
Account Name: NonPrivAccount01
Account Domain: SUPPORT01
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 6/10/2021 12:29:58 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -
Contents of 4724
An attempt was made to reset an account's password.
Subject:
Security ID: SUPPORT01\PrivAccount01
Account Name: PrivAccount01
Account Domain: SUPPORT01
Logon ID: 0xD49EEA3
Target Account:
Security ID: SUPPORT01\NonPrivAccount01
Account Name: NonPrivAccount01
Account Domain: SUPPORT01
Failed Execution (Access Denied)
To obtain a bad result "Access Denied" change the $privUsername & $privPassword to a non domain admin user account, i.e. $privUsername = "NonPrivAccount02"
Exception calling "Invoke" with "2" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
Line:16 char:1
+ $Entry.Invoke("SetPassword", $passwordObject)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodTargetInvocation
There is no record written to the Event log for the "Access Denied"






