none
Determine how Password is reset?

    Question

  • Is it possible to determine whether a Users password was set via the end user OR if it was set by an administrator through Active Directory Users and Computers? 

    I am trying to target users with a "force password reset at next logon", but I only want to target those users that have not reset since the last administrative set password. 

    thanks

    Thursday, December 20, 2012 4:38 PM

Answers

  • Yes! you can find that who has been reset the password

    You can search where the password has been reset mean which server.With the repadmin command

    repadmin /showobjmeta KOL-ADS01 "CN=bshwjt bshwjt,CN=Users,DC=gs,DC=com"

    Find the red bold value as an example.

    Loc.USN                          Originating DC   Org.USN  Org.Time/Date            Ver             Attribute

    =======                          =============== ========= =============        === =========

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 objectClass

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 cn

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 sn

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 givenName

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 instanceType

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 whenCreated

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 displayName

      24628        Default-First-Site-Name\KOL-ADS01     24628 2012-11-26 19:34:48    2 nTSecurityDescriptor

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 name

      16406        Default-First-Site-Name\KOL-ADS01     16406 2012-11-20 10:14:15    4 userAccountControl

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 codePage

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 countryCode

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 dBCSPwd

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 logonHours

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 unicodePwd

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 ntPwdHistory

      32978        Default-First-Site-Name\KOL-ADS01     32978 2012-12-21 11:09:02    4 pwdLastSet

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 primaryGroupID

      32977        Default-First-Site-Name\KOL-ADS01     32977 2012-12-21 11:09:02    2 supplementalCredentials

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 objectSid

      24628        Default-First-Site-Name\KOL-ADS01     24628 2012-11-26 19:34:48    1 adminCount

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 accountExpires

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 lmPwdHistory

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 sAMAccountName

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 sAMAccountType

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 userPrincipalName

      16409        Default-First-Site-Name\KOL-ADS01     16409 2012-11-20 10:16:32    2 servicePrincipalName

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 objectCategory

    0 entries.

    Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver

    ======= ============  =============                           ================= ======= ======= ===

            Distinguished Name

            =============================

    & yes you can find that who has been reset the password after getting the server name you have use eventcombmgmt for finding the events.

    You can get eventcombmgmt from altools.

    Download altools.

    http://www.microsoft.com/en-us/download/details.aspx?id=18465

    Find the below snap for your reference :-)

    Need to audit enable from Default domain policy & find the exact event, mentioned event may not corrcet coz audit is not enabled in my test lab. You will get msg like " Password reset by adminstrator"

    Event ID for change password

    http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/ea31f671-5fec-4b8f-82e3-114bc57fd473

    Determine password change info

    http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/a22fd9ef-dcf8-43ee-89ca-de259a8ea4eb


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin




    • Edited by bshwjt Friday, December 21, 2012 6:31 AM
    • Proposed as answer by AwinishModerator Monday, December 24, 2012 9:42 AM
    • Marked as answer by Yan Li_Moderator Wednesday, December 26, 2012 2:14 AM
    Friday, December 21, 2012 5:44 AM

All replies

  • There is no way to tell who last reset a password, or if the user reset their own password. However, you can query for all users that must change their password at next logon. For example:

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))" -Limit 0

    -----

    Or, using the Get-ADUser PowerShell cmdlet:

    Get-ADUser -LDAPFilter "(pwdLastSet=0)"

    -----



    Richard Mueller - MVP Directory Services

    Thursday, December 20, 2012 4:52 PM
  • Richard Muller is absolutely correct, the only way would be to turn on properely configured auditing (has/had to be enabled when the action was performed)

    Enfo Zipper Christoffer Andersson – Principal Advisor

    Thursday, December 20, 2012 5:12 PM
  • If auditing is enabled, you will be able to track this. To enable Active Directory auditing: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx

    This can be tracked using the Call User Name. Details here: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=628


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, December 20, 2012 10:52 PM
  • If  account management auditing is enabled event id 4723(win2008) or 627(Win2k3) will be logged if user password is chnaged by itself or by other admin.You can check the event log to track the same.

    Audit account management audit: http://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx

    Change Password Attempt:http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=627

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, December 21, 2012 3:11 AM
  • Yes! you can find that who has been reset the password

    You can search where the password has been reset mean which server.With the repadmin command

    repadmin /showobjmeta KOL-ADS01 "CN=bshwjt bshwjt,CN=Users,DC=gs,DC=com"

    Find the red bold value as an example.

    Loc.USN                          Originating DC   Org.USN  Org.Time/Date            Ver             Attribute

    =======                          =============== ========= =============        === =========

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 objectClass

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 cn

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 sn

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 givenName

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 instanceType

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 whenCreated

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 displayName

      24628        Default-First-Site-Name\KOL-ADS01     24628 2012-11-26 19:34:48    2 nTSecurityDescriptor

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 name

      16406        Default-First-Site-Name\KOL-ADS01     16406 2012-11-20 10:14:15    4 userAccountControl

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 codePage

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 countryCode

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 dBCSPwd

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 logonHours

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 unicodePwd

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 ntPwdHistory

      32978        Default-First-Site-Name\KOL-ADS01     32978 2012-12-21 11:09:02    4 pwdLastSet

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 primaryGroupID

      32977        Default-First-Site-Name\KOL-ADS01     32977 2012-12-21 11:09:02    2 supplementalCredentials

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 objectSid

      24628        Default-First-Site-Name\KOL-ADS01     24628 2012-11-26 19:34:48    1 adminCount

      16402        Default-First-Site-Name\KOL-ADS01     16402 2012-11-20 10:14:14    1 accountExpires

      32976        Default-First-Site-Name\KOL-ADS01     32976 2012-12-21 11:09:02    3 lmPwdHistory

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 sAMAccountName

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 sAMAccountType

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 userPrincipalName

      16409        Default-First-Site-Name\KOL-ADS01     16409 2012-11-20 10:16:32    2 servicePrincipalName

      16401        Default-First-Site-Name\KOL-ADS01     16401 2012-11-20 10:14:14    1 objectCategory

    0 entries.

    Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver

    ======= ============  =============                           ================= ======= ======= ===

            Distinguished Name

            =============================

    & yes you can find that who has been reset the password after getting the server name you have use eventcombmgmt for finding the events.

    You can get eventcombmgmt from altools.

    Download altools.

    http://www.microsoft.com/en-us/download/details.aspx?id=18465

    Find the below snap for your reference :-)

    Need to audit enable from Default domain policy & find the exact event, mentioned event may not corrcet coz audit is not enabled in my test lab. You will get msg like " Password reset by adminstrator"

    Event ID for change password

    http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/ea31f671-5fec-4b8f-82e3-114bc57fd473

    Determine password change info

    http://social.technet.microsoft.com/Forums/en-US/ITCG/thread/a22fd9ef-dcf8-43ee-89ca-de259a8ea4eb


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin




    • Edited by bshwjt Friday, December 21, 2012 6:31 AM
    • Proposed as answer by AwinishModerator Monday, December 24, 2012 9:42 AM
    • Marked as answer by Yan Li_Moderator Wednesday, December 26, 2012 2:14 AM
    Friday, December 21, 2012 5:44 AM
  • I am not 100% sure but I believe that the password is stored only after it
    has been encrypted and the encryption is one way.

    To validate a user it takes the password they enter in, encrypts it and then
    compares the encrypted results to make sure they match.

    This is why the only option an admin has for a person that forgot their
    password it to rest it to something instead of telling the user what it is
    currently set to.

    You will probably need to extend your AD Schema to get this to work properly. Make sure to test in a non- production enviorment first.!

    Wihtout auditing enable it is rarely impossible but like earlier said I'm not 100% sure. 


    • Edited by oliver accord Friday, December 21, 2012 10:00 AM addition
    Friday, December 21, 2012 9:51 AM
  • i.biswajith that is an extremely creative approach and if the log files on the DC hold the value then very cool igenuity.  Haven't seen nor tried this avenue, but it appears to be a valid approach.  The one problem I see with this is if that you have to also determine what DC was the originating DC, since only the DC that performed the change will have it in its Event Log.  We have hundreds of DC's but for a small shop this just might work as expected.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, December 21, 2012 1:05 PM
    Moderator
  • Thanks a ton Pbbergs :)

    Yes it will work for 1000 DCs. I am getting the issue for account lockout\need to find who has been reset the password daily basis. Audit is enabled in my current work environment & I am following the mentoned steps . Those are working as expected.

    I will update a blog in technet wiki for the same with step by step(with proper event) ASAP :)

    Hope it helps

    Biswajit


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin



    • Edited by bshwjt Saturday, December 22, 2012 4:20 AM
    Saturday, December 22, 2012 4:16 AM
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    If you have any feedback on our support, please click here .


    Cataleya Li
    TechNet Community Support

    Monday, December 24, 2012 6:32 AM
    Moderator
  • Thanks everyone for the responses.  Looks like auditing is required for the sugested method.  I will give it a look.

    Friday, December 28, 2012 7:12 PM