Reset password by SYSTEM?


  • Hi Guys,

    Our customer has security issue now, some users have been reset password by SYSTEM account like below:


    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          7/23/2013 10:02:48 PM
    Event ID:      4724
    Task Category: User Account Management
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      DC-01.ABC
    An attempt was made to reset an account's password.

    Security ID: SYSTEM
    Account Name: DC-01$
    Account Domain: ABC
    Logon ID: 0x3e7

    Target Account:
    Security ID: ABC\accountname
    Account Name: accountname
    Account Domain: ABC


    This log is from Domain Controller (DC-01)

    It repeat two days, about ten accounts for each day.

    I try to troubleshoot this issue but I don't know why or who did it. 

    I scan for virus but not found any thing

    Any idea?

    Thank you all.

    Wednesday, July 24, 2013 2:55 AM

All replies

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    Do you have FIM installed? If this is the case, the issue can be related to the password reset feature.



    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    Thursday, July 25, 2013 3:18 AM
  • No, I don't have FIM . Do you have any other suggestion?

    It has been not happened for two days ago, but today it come again. 

    Users claim alot because their password have been changed without notice :(

    Pls help me!!!

    P/S: Can you show me the way to check if FIM installed in this organization? Like Show the port it connect to AD server or something else. Thank you

    • Edited by NgocNP Saturday, July 27, 2013 2:55 AM edit
    Saturday, July 27, 2013 2:45 AM