Summary
- Event ID 4724 sample Source
- Enable Event 4724 through Group Policy
- Enable Event 4724 via Auditpol
- Disable/Stop Event 4724
Event ID 4724 sample Source
This sample 4724 event info logged while reset the user Smith‘s password. here, the Subject field indicates ‘Who‘ reset the password and Target Account indicates which user account’s password reset.
An attempt was made to reset an account's password. Subject: Security ID: TESTDOMAINMorgan Account Name: Morgan Account Domain: TESTDOMAIN Logon ID: 0xede9c Target Account: Security ID: TESTDOMAINSmith Account Name: Smith Account Domain: TESTDOMAIN
Enable Event 4724 through Group Policy
To enable event id 4724 in every Domain Controller, We need to configure audit policy settings in Default Domain Controllers Policy, or you can create new GPO and links it to Domain Controllers OU via GPMC console, or else you can configure the corresponding audit policy on Local Security Policy of each and every Domain Controller..
Follow the below steps to enable AD password reset audit event 4724 via Default Domain Controllers Policy.
1. Press the key ‘Window’ + ‘R’
2. Type the command gpmc.msc, and click OK.
Note: Skip the above steps by clicking Start –>Administrative Tools –>Group Policy Management.
3. Expand the domain node and Domain Controllers OU, right–click on the Default Domain Controllers Policy, then click Edit. – refer the below image.
4. Expand Computer Configuration node, go to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Audit Policy).
5. Navigate to the right side pane, select the policy Audit account management, and set the success audit value.
6. Update/Refresh GPO settings by running the command gpupdate/force.
Enable Password Reset Event 4724 via Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable Active Directory Account user’s password reset audit event (Event ID 4724) through User Account Management subcategory by using the following command
auditpol /set /subcategory:"User Account Management" /success:enable
Update/Refresh GPO settings by running the command gpupdate/force/
Disable/Stop Password Reset Event 4724
You can disable or stop Active Directory password reset audit event (Event ID 4724) by removing success audit in User Account Management subcategory by using the following command.
auditpol /set /subcategory:"User Account Management" /success:disable
You can also stop this event by removing the success setting from the Default Domain Controllers GPO in the setting path Computer Configuration->Polices->Windows Settings->Security Settings->Audit Policy->Account Management
Thanks,
Morgan
Software Developer