Would you like to learn how to filter Windows event logs using Powershell to find who changed the user's password on the domain? In this tutorial, we are going to show you how to find who changed the password of an account on the Active Directory.

• Windows 2012 R2
• Windows 2016
• Windows 2019
• Windows 2022
• Windows 10
• Windows 11

Equipment list

Here you can find the list of equipment used to create this tutorial.

This link will also show the software list used to create this tutorial.

Related tutorial - PowerShell

On this page, we offer quick access to a list of tutorials related to PowerShell.

Tutorial Powershell - Who changed the user password in Active Directory

On the domain controller, start an elevated Powershell command line.

Windows 10 - powershell elevated

List events related to the change of a user password.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Display the content of events related to the change of user passwords.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Display only the content of the event message.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

Find who changed the password of users in the last 30 days.

Copy to Clipboard

Search for events related to the change of user passwords in a specific time interval.

Copy to Clipboard

List events related to the password change of a specific user account.

Copy to Clipboard

In our example, we filtered based on the event message content.

This Powershell script filters who changed the user password.

Copy to Clipboard

Here is the command output.

Copy to Clipboard

When a user changes his own password, the correct event ID is 4723.

Congratulations! You are able to find who changed a user password in the Active Directory using Powershell.