ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event ID 4724 password reset audit logs in a professional SOC environment
Event ID 4724InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4724 – Microsoft-Windows-Security-Auditing: User Account Password Reset by Administrator

Event ID 4724 logs when an administrator resets another user's password in Active Directory or local accounts, providing critical security audit trail for password management activities.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4724Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4724 represents a fundamental security audit event that Windows generates whenever an administrator exercises their privilege to reset another user's password. This event serves as a critical component of Windows security logging infrastructure, providing detailed forensic information about password management activities within your organization.

The event captures comprehensive details including the administrator's identity, the target user account, timestamp information, and the workstation from which the reset was initiated. This granular logging enables security teams to maintain complete audit trails for password reset activities, which is essential for compliance frameworks like SOX, HIPAA, and PCI-DSS.

Windows generates this event on the system where the password reset occurs - domain controllers for Active Directory accounts and local machines for local user accounts. The event includes security identifiers (SIDs) for both the administrator and target user, ensuring accurate identification even when account names change over time.

Understanding this event is crucial for detecting unauthorized password resets, investigating security incidents, and maintaining proper administrative oversight of privileged account activities. Security teams rely on Event ID 4724 to identify potential insider threats, verify legitimate administrative actions, and ensure password reset procedures align with organizational security policies.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator using Active Directory Users and Computers to reset a user's password
  • PowerShell cmdlets like Set-ADAccountPassword or Reset-ADAccountPassword being executed
  • Local administrator resetting local user account passwords via Computer Management or net user commands
  • Automated scripts or management tools performing bulk password resets
  • Help desk personnel resetting passwords through administrative interfaces
  • Group Policy-driven password resets during account provisioning
  • Third-party identity management systems integrating with Active Directory
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4724 entry to understand the context and participants involved in the password reset.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4724 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4724 in the Event IDs field and click OK
  5. Double-click on a 4724 event to view detailed information including:
    • Subject: The administrator who performed the reset
    • Target Account: The user whose password was reset
    • Logon ID: Session identifier for the administrative session
    • Caller Computer Name: Workstation where the reset was initiated
Pro tip: Pay attention to the Caller Computer Name field to identify if password resets are coming from expected administrative workstations or potentially unauthorized systems.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4724 entries across multiple systems or time ranges.

  1. Open PowerShell as Administrator
  2. Query recent password reset events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed information from event properties:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        Administrator = $Event.Event.EventData.Data[0].'#text'
        TargetUser = $Event.Event.EventData.Data[5].'#text'
        CallerComputer = $Event.Event.EventData.Data[11].'#text'
    }
}
  5. Query events from remote domain controllers:
    $DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "Checking $($DC.Name)..."
    Get-WinEvent -ComputerName $DC.Name -FilterHashtable @{LogName='Security'; Id=4724} -MaxEvents 5
}
03

Correlate with Related Security Events

Investigate Event ID 4724 alongside related security events to build a complete picture of administrative activities and potential security concerns.

  1. Check for logon events (4624) from the same administrator around the time of password reset:
    $ResetTime = (Get-Date '2026-03-18 10:30:00')
$TimeWindow = 30 # minutes
$StartTime = $ResetTime.AddMinutes(-$TimeWindow)
$EndTime = $ResetTime.AddMinutes($TimeWindow)

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4724; StartTime=$StartTime; EndTime=$EndTime} | Sort-Object TimeCreated
  2. Look for account lockout events (4740) that might have preceded the password reset:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740,4724} -MaxEvents 20 | Sort-Object TimeCreated
  3. Check for privilege escalation events (4672) indicating administrative rights usage:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4724} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-1)} | Sort-Object TimeCreated
  4. Examine failed logon attempts (4625) that might indicate the reason for password reset:
    $TargetUser = "john.doe"
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Where-Object {$_.Message -like "*$TargetUser*"} | Select-Object TimeCreated, Message
Warning: Frequent password resets for the same user account may indicate a compromised account or systematic attack attempts requiring immediate investigation.
04

Configure Advanced Auditing and Monitoring

Implement comprehensive monitoring and alerting for Event ID 4724 to proactively detect unauthorized or suspicious password reset activities.

  1. Enable detailed audit policy for account management:
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
  2. Configure Group Policy for enhanced auditing:
    • Open Group Policy Management Console
    • Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
    • Enable Audit User Account Management for both Success and Failure
  3. Create a PowerShell monitoring script:
    # Save as Monitor-PasswordResets.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4724" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    $Message = "Password reset detected: User $($Event.InsertionStrings[5]) by $($Event.InsertionStrings[0])"
    Write-EventLog -LogName Application -Source "Password Monitor" -EventId 1001 -Message $Message
    # Add email notification or SIEM integration here
}
  4. Set up Windows Event Forwarding to centralize logs:
    • Configure source computers with: winrm quickconfig
    • On collector server, run: wecutil cs subscription.xml
    • Create subscription XML targeting Event ID 4724
  5. Implement log retention policies in registry:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "MaxSize" -Value 0x6400000 # 100MB
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "Retention" -Value 0
05

Forensic Analysis and Compliance Reporting

Perform comprehensive forensic analysis of Event ID 4724 for security investigations and compliance reporting requirements.

  1. Export security logs for offline analysis:
    $ExportPath = "C:\Forensics\SecurityLogs_$(Get-Date -Format 'yyyyMMdd').evtx"
wevtutil epl Security $ExportPath
  2. Generate detailed password reset reports:
    # Create comprehensive password reset report
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4724} -MaxEvents 1000
$Report = $Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        Timestamp = $_.TimeCreated
        Administrator = $EventData[0].'#text'
        AdminDomain = $EventData[1].'#text'
        AdminLogonId = $EventData[2].'#text'
        TargetUser = $EventData[5].'#text'
        TargetDomain = $EventData[6].'#text'
        TargetSID = $EventData[4].'#text'
        CallerComputer = $EventData[11].'#text'
        CallerLogonId = $EventData[12].'#text'
    }
}
$Report | Export-Csv -Path "C:\Reports\PasswordResets_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  3. Analyze patterns and anomalies:
    # Identify administrators with high reset activity
$Report | Group-Object Administrator | Sort-Object Count -Descending | Select-Object Name, Count

# Find unusual reset times (outside business hours)
$Report | Where-Object {$_.Timestamp.Hour -lt 8 -or $_.Timestamp.Hour -gt 18} | Format-Table

# Detect bulk reset operations
$Report | Group-Object @{Expression={$_.Timestamp.ToString("yyyy-MM-dd HH:mm")}} | Where-Object {$_.Count -gt 5}
  4. Cross-reference with Active Directory changes:
    Import-Module ActiveDirectory
$RecentResets = $Report | Where-Object {$_.Timestamp -gt (Get-Date).AddDays(-1)}
foreach ($Reset in $RecentResets) {
    $User = Get-ADUser -Identity $Reset.TargetUser -Properties PasswordLastSet, LastLogonDate
    Write-Output "User: $($Reset.TargetUser), Password Reset: $($Reset.Timestamp), Last Logon: $($User.LastLogonDate)"
}
  5. Generate compliance documentation:
    # Create audit trail documentation
$ComplianceReport = @"
Password Reset Audit Report
Generated: $(Get-Date)
Total Events: $($Report.Count)
Date Range: $($Report[0].Timestamp) to $($Report[-1].Timestamp)

Top Administrators:
$($Report | Group-Object Administrator | Sort-Object Count -Descending | Select-Object -First 5 | Format-Table -AutoSize | Out-String)

After-Hours Activity:
$($Report | Where-Object {$_.Timestamp.Hour -lt 8 -or $_.Timestamp.Hour -gt 18} | Format-Table | Out-String)
"@
$ComplianceReport | Out-File -FilePath "C:\Reports\ComplianceReport_$(Get-Date -Format 'yyyyMMdd').txt"
Pro tip: Maintain separate forensic workstations for security log analysis to prevent contamination of evidence and ensure proper chain of custody for compliance requirements.

Overview

Event ID 4724 fires whenever an administrator resets another user's password through Active Directory Users and Computers, PowerShell cmdlets, or local user management tools. This security audit event captures critical details including who performed the reset, which account was affected, and when the action occurred.

This event appears in the Security log on domain controllers for AD accounts and on local machines for local user accounts. The event provides essential forensic data for compliance auditing, security investigations, and tracking administrative password management activities across your Windows environment.

Unlike password changes initiated by users themselves (Event ID 4723), this event specifically tracks administrative password resets where an administrator with appropriate privileges forces a new password on behalf of another user. The distinction is crucial for security monitoring and understanding whether password changes were user-initiated or administratively mandated.

Frequently Asked Questions

What's the difference between Event ID 4724 and 4723?+
Event ID 4724 occurs when an administrator resets another user's password, while Event ID 4723 logs when a user changes their own password. The key distinction is who initiates the action - 4724 represents administrative intervention, while 4723 represents user-initiated password changes. This difference is crucial for security monitoring because administrative password resets may indicate account compromise, help desk activities, or policy enforcement, whereas user password changes are typically routine maintenance.
Why am I seeing Event ID 4724 on workstations instead of just domain controllers?+
Event ID 4724 appears on workstations when local user account passwords are reset by local administrators. While domain account password resets generate this event on domain controllers, local account management creates the event on the specific workstation where the account resides. This is normal behavior and provides complete audit coverage for both domain and local account password management activities across your Windows environment.
How can I identify unauthorized password resets using Event ID 4724?+
Look for several indicators in Event ID 4724 events: resets occurring outside business hours, administrators resetting passwords for accounts they don't typically manage, resets from unusual computer names or IP addresses, and high-frequency resets for the same user account. Cross-reference the administrator field with your authorized help desk personnel list and examine the caller computer name for unexpected systems. Correlate with logon events (4624) to verify the administrator's legitimate access to the system performing the reset.
Can Event ID 4724 help detect compromised administrator accounts?+
Yes, Event ID 4724 can reveal compromised administrator accounts through abnormal password reset patterns. Indicators include: bulk password resets across multiple accounts, resets for high-privilege accounts like Domain Admins, resets occurring from compromised workstations, and resets followed immediately by suspicious logon activity. Monitor for administrators resetting passwords for accounts they've never managed before, especially during off-hours. Combine this analysis with failed logon events (4625) and privilege use events (4672) for comprehensive threat detection.
How long should I retain Event ID 4724 logs for compliance purposes?+
Retention requirements for Event ID 4724 vary by compliance framework and organizational policy. SOX typically requires 7 years, HIPAA mandates 6 years, PCI-DSS requires 1 year with 3 months immediately available, and GDPR suggests reasonable periods based on purpose. Many organizations implement a tiered approach: 90 days online in Security logs, 1 year in archived event logs, and long-term storage in compliance databases. Configure Security log size appropriately and implement Windows Event Forwarding to centralize collection before local logs rotate.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive documentation of Windows security auditing events including Event ID 4724 and related account management events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial guidance on configuring advanced audit policies for comprehensive security event logging and monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4724#security-auditing#password-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...