Who changed an Active Directory password?

Have you ever bumped into a situation where a password has been changed in AD and then you need to speak to whoever changed it to discuss the circumstances around the change? Yes, me too.

Sure, you could visit each Domain Controller and filter the security event logs for the correct event ID, and then read each result, scrolling through the data, but that’s a little on the laborious side, wouldn’t you say?

Here’s a Powershell function that will search each of your Domain Controllers for event ID 4724, the event ID associated with a password being reset by an administrator, and return a list of passwords that have been reset, along with who updated them and when.

function Get-AllAdminPWChange(){
	(Get-ADComputer -SearchBase ‘OU=Domain Controllers,DC=yourdomain,DC=com’ -Filter *).Name | foreach {
		try {Get-WinEvent -ComputerName $_ -FilterHashtable @{LogName="Security";ID=4724 } -ErrorAction Stop | Foreach {
				$event = [xml]$_.ToXml()
				if($event)
				{
					$Time = Get-Date $_.TimeCreated -UFormat "%Y-%m-%d %H:%M:%S"
					$AdmUser = $event.Event.EventData.Data[4]."#text"
					$User = $event.Event.EventData.Data[0]."#text"
					$dc = $event.Event.System.computer
					write-host "Server " $dc " had " $AdmUser " reset password of " $User " at " $Time
				}
				
			}
		}
		catch [Exception] {
		}
	}
}

Don’t forget to update the SearchBase to reflect your domain, and just a quick note that this will only return values that are currently in the event logs on your DCs, so if your configuration overwrites entries quickly, no data may be returned by the function.

Obviously, you can simply change the event ID and LogName to search for any other AD-logged events, but don’t forget to update the output wording too!