question

PrasadWF-9762 avatar image
0 Votes"
PrasadWF-9762 asked cthivierge answered

Password Change event viewer

Hi,

I have changed the password of user account using ctrl+alt+del. After changing the password when I go to DC and check the event viewer ,I did not find the event related to this password change.

Is DC capture this kind of event ? can someone please let me know where can I find this event?

windows-serverwindows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered PrasadWF-9762 commented

Yes, it can.

But you must enable some audit first on the DC's

Then, if you have multiple DC's, i suggest you to use the following command to know which DC has received the password change request
repadmin /showobjmeta mydomain.local "DN"

For example, a user that has a Distinguished Name: CN=MyUser,CN=Users,=MyDomain,DC=Local

The command will be:
repadmin /showobjmeta mydomain.local "CN=MyUser,CN=Users,=MyDomain,DC=Local"

This will list you all properties of the user account and you will be able to have the DC that made the password change.

127704-pwdchange.png



Then, open the security log on this DC and look for the Event ID 4738 "User Account Management"

You should see a list of attributes and one of them will be "Password Last Set"

hth


pwdchange.png (80.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks cthivierge, this worked.

What would I do if I have list of user , do I need to go one by one or is there any automated process for it to check which DC is responsible for password change for list of users ?

0 Votes 0 ·
cthivierge avatar image
0 Votes"
cthivierge answered

Well, this information is set on each object (user or computer) in Active Directory.

The attribute name is "pwdLastSet"

Well... it's possible to use a powershell script to get the list of user you want and then use the repadmin command to retrieve the information.

hth

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cthivierge avatar image
0 Votes"
cthivierge answered

If you have a file with all sAMAccountName, you could use this PS to get this information.

This will read the file C:\Temp\List_Users.txt file and will create a create a txt file for each user under the C:\Temp\Extract_User_Info folder


foreach($line in Get-Content C:\Temp\List_Users.txt) {
$userdn = get-aduser -identity $line
repadmin /showobjmeta $Env:USERDNSDOMAIN "$userDN" | Out-File -FilePath C:\Temp\Extract_User_Info\$line.txt
Write-Host repadmin /showobjmeta $Env:USERDNSDOMAIN "$userDN"
}

hth

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.