Attempt was made to change a password
-
Tuesday, February 12, 2013 3:52 PMOn one of my Domain Controllers at about 9.30pm every night I am seeing numerous 4724 events in the security Log. from the event details I cannot tell what is trying to change these passwords?
An attempt was made to change an account's password.
Subject:
Security ID: SYSTEM
Account Name: ServerName$
Account Domain: EXAMPLE
Logon ID: 0x275ad6d4
Target Account:
Security ID: EXAMPLE\wanderson
Account Name: wanderson
Account Domain: EXAMPLE
Additional Information:
Privileges -
All Replies
-
Tuesday, February 12, 2013 4:28 PM
See the link; it may help you.
Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
-
Wednesday, February 13, 2013 6:02 AMModeratorHi,
Per the subject account info, the request was launched by a computer account, and the computer name is "ServerName", as no one knows the computer's password, so the password change request should be initiated by a service runs under either network service or local system account on "ServerName" server. Enable "Logon Audit" on "ServerName" server, restart it, when the problem happens again, you can match the Logon ID in the events on domain controllers with the Logon ID with the security logs on "ServerName" server and find out which process initiates such kind of requests.
Regards,
Cicely- Marked As Answer by Cicely FengMicrosoft Contingent Staff, Moderator Tuesday, February 19, 2013 4:46 AM
- Unmarked As Answer by GalenGough Wednesday, February 27, 2013 4:11 PM
-
Wednesday, February 27, 2013 4:10 PMI already have that turned on, but am still not seeing any information in the event to ilicit what sevice is causing the issues:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/26/2013 10:09:25 PM
Event ID: 4723
Task Category: User Account Management
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXXCSPDC01.XXXXXXX.com
Description:
An attempt was made to change an account's password.Subject:
Security ID: SYSTEM
Account Name: XXXCSPDC01$
Account Domain: XXXXXXXXX
Logon ID: 0xeb4bfbTarget Account:
Security ID: XXXXXXX\twiant
Account Name: twiant
Account Domain: XXXXXXXXXAdditional Information:
Privileges -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4723</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2013-02-27T05:09:25.526804700Z" />
<EventRecordID>52260530</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="6272" />
<Channel>Security</Channel>
<Computer>XXXCSPDC01.XXXXXXXX.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">twiant</Data>
<Data Name="TargetDomainName">XXXXXXXXX</Data>
<Data Name="TargetSid">S-1-5-21-2656252003-1427031184-2714925031-15684</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">XXXCSPDC01$</Data>
<Data Name="SubjectDomainName">XXXXXXXXXX</Data>
<Data Name="SubjectLogonId">0xeb4bfb</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
.png)
