Audit Password Changes in Active Directory
Admins need to audit password changes in Active Directory from time to time to maintain its security. So to assist admins we came up with this write-up on tracking AD password changes. Here we will teach you about all possible techniques that provide a complete overview of all the changes that happened in the lifetime. This is important if you are going to reset user passwords in Active Directory anytime soon. So let’s start with the command line queries and slowly make our way from there.
Use Code to Audit Password Changes in Active Directory
Open the command line and paste the following
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(samAccountName=HealthMailbox*|SystemMailbox*)))" -limit 15 -attr displayName, pwdLastSet
You can generate the human-readable results by putting the large integer results into the inbuilt command line query
w32tm.exe /ntte [time in Windows NT time format]
Unfortunately, this is labor-intensive as you have to copy-paste each result one at a time. Moreover, this also brings in changes of error or getting duplicate results. Admins would find it quite problematic to keep track of every result.
So here is a alternative
First up get a list of all available users with the help of
net user /domain
Then
net user %username% /domain | findstr "Password last set"
Both command-line queries have an element of manual effort. So relying solely on them is not the best idea. Here is a PowerShell alternative you can use instead.
Get-ADUser -Filter * -Properties pwdLastSet | Select-Object @{Name="User Name";Expression={($_.name)}}, @{Name="Last Password Set";Expression={[DateTime]::FromFileTime($_.pwdLastSet)}} | Sort-Object Name | Format-Table
A few tweaks to this go a long way in identifying the AD computer account password expiration date too. If code makes you quiver AD has its own components that can be used to audit the password data.
Get the Last Date of the AD User Password Change Using Native Components
There are three primary ways of using the AD itself to get the latest password change data.
First up we have the Event Viewer
Stage 1: Install Group Policy Management Editor (GPME)
- Open Server Manager
- Go to Roles and Features > Features
- Enable advanced features and select GPME
- Follow the installation wizard
Stage 2: Configure GPME
- Step 1: Enable Password Change Auditing
- Launch GPME.msc
- Select Policy Object
- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
- Enable “Audit account management” and select Success and Failure
- Step 2: Configure Event Viewer
- Follow Step 1 till Security Settings
- Select Event Log and set the maximum security log size to 1 GB
- Step 3: Check Security Logs
- Open Event Viewer
- Look for: Event ID 4724: Admin password reset
The alternative would be to use Active Directory Users and Computers
- Launch ADUC instance.
- Check the View to ensure that the Advanced Features are enabled before you proceed.
- Pick any user from the list to audit their password.
- Then Right-click > Select Properties > Go to Attribute Editor > scroll till pwdLastSet.
Using the Administrative Center can also help during Active Directory password audits
- Inside ADAC > open Global Filter > go to LDAP (&(objectClass=user)(objectCategory=person)).
- Pick a User from the list > open Extensions> go to Attribute Editor > see the pwdLastSet.
It could be difficult for admins to choose so we have a special section dedicated to cover the positives and negatives of the various methods discussed till now. It will help admins select a method that is most suitable for their use case.
Comparison Chart of All Native Methods
Here are tabular constructions that can give you a clear idea about the effectiveness of the traditional AD user password auditing methods.
| Comparison Metric | Command Line | PowerShell | Active Directory GUI |
| Ease of Use | Moderate – Requires knowledge of specific commands. | High – Requires scripting knowledge but is powerful. | Easy – User-friendly interface but less flexible. |
| Efficiency | Time-consuming for large-scale tasks. | Highly efficient for large-scale automation. | Suitable for small, one-off tasks. |
| Customization | Limited options for customization. | Highly customizable through scripts and filters. | Limited to GUI options. |
| Automation | Manual process; difficult to automate. | Easy to automate with scripts or scheduled tasks. | No built-in automation features. |
| Data Granularity | Basic information; limited filtering options. | Detailed reports with specific attributes. | Limited to what the GUI displays. |
| Real-Time Monitoring | Requires manual refresh or running commands again. | Can be automated for near real-time monitoring. | No real-time monitoring; manual refresh needed. |
| Export Capabilities | Limited – manual copy-paste or redirection to file. | Can export to various formats like CSV, TXT | No direct export options, manual reporting required. |
| Scalability | Poor scalability for large AD environments. | Highly scalable with automated scripts. | Not scalable for large or complex environments. |
| Learning Curve | Steeper for beginners; knowledge of commands needed. | Moderate – Knowledge of PowerShell required. | Low – Easy to learn with point-and-click interface. |
| Audit Depth | Basic audit capabilities. | Deep audit capabilities with filters and custom scripts. | Limited to predefined fields visible in the GUI. |
Automate Password History Auditing in Active Directory Environments
The SysTools Active Directory Reporting tool is your helping hand to complete all monitoring activity inside an AD. So uses it to pull out detailed reports on exactly when a particular user had their password updated.
You can register multiple domains and calculate the time passed since the last password update. Moreover, the tool allows you to
To use the advanced utility for auditing user-level password changes follow these steps
Step 1. Install a copy of the software on your machine, launch it let the administrator credentials fill in on their own, and press login.
Step 2. Take your cursor on the REGISTER DOMAIN CONTROLLER, to add a new domain, you can also click the small building icon in the top left corner to open the dialog box.
Step 3. Inside the box put in a custom easy to recognize Domain Friendly Name, and Type in the corresponding IP address. Press Save to register the Domain.
Step 4. Then you are taken to the Domain Details page where you have to put in the admin credentials and Validate the results.
Step 5. After that tap the Reports button, and a Screen with all the various options appears to begin the audit click on Password Changed Users
Step 6. The Report creation page is where you can apply a date picker, Preview the user list whose password history is under audit, and generate the CSV in that order.
Step 7. Once you have the list with you save it in an appropriate location and use any text editor or spreadsheet program to perform further analysis.
Conclusion
So now we believe there shouldn’t be any problems whenever the admin tries to audit password changes in Active Directory. The complete overview of all the various methods, such as PowerShell, ADUC, ADAC, Event Viewer, and Command line, was laid out in an easy-to-understand language. Moreover, to fast-track the process and introduce automation in auditing admins can rely on the utility.
