Powershell - Who changed the user password in Active Directory

Would you like to learn how to filter Windows event logs using Powershell to find who changed the user’s password on the domain? In this tutorial, we are going to show you how to find who changed the password of an account on the Active Directory.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

Equipment list

This link will also show the software list used to create this tutorial.

Tutorial Powershell – Who changed the user password in Active Directory

On the domain controller, start an elevated Powershell command line.

List events related to the change of a user password.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Display the content of events related to the change of user passwords.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Message              : An attempt was made to reset an account's password.

Subject:
                        Security ID:            S-1-5-21-4215187987-3124207031-433979976-500
                        Account Name:           Administrator
                        Account Domain:         TECH
                        Logon ID:               0x17A3FB

Target Account:
                        Security ID:            S-1-5-21-4215187987-3124207031-433979976-1108
                        Account Name:           yamcha
                        Account Domain:         TECH
Id                   : 4724
Version              : 0
Qualifiers           :
Level                : 0
Task                 : 13824
Opcode               : 0
Keywords             : -9214364837600034816
RecordId             : 194374
ProviderName         : Microsoft-Windows-Security-Auditing
ProviderId           : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName              : Security
ProcessId            : 832
ThreadId             : 3356
MachineName          : TECH-DC01.TECH.LOCAL
UserId               :
TimeCreated          : 8/11/2022 2:34:57 AM
ActivityId           :
RelatedActivityId    :
ContainerLog         : Security
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : User Account Management
KeywordsDisplayNames : {Audit Success}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty...}

Display only the content of the event message.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Find who changed the password of users in the last 30 days.

Copy to Clipboard

Search for events related to the change of user passwords in a specific time interval.

Copy to Clipboard

List events related to the password change of a specific user account.

Copy to Clipboard

In our example, we filtered based on the event message content.

This Powershell script filters who changed the user password.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

When a user changes his own password, the correct event ID is 4723.

Congratulations! You are able to find who changed a user password in the Active Directory using Powershell.

Powershell – Who changed the user password in Active Directory