For achieve this first we have to enable audit account success and failures through Group Policy Management Editor.
Edit existing Group policy or create new Group Policy, Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
Enable the settings
After applying the Group policy all the events will be starting to log and can view through Event Log Viewer. We can create a Custom View to filter those events as below.
Event ID 627 – Change Password Attempt
Event ID 628 – User Account Password Set
Event ID 4724 – An attempt was made to reset an account’s password
Event ID 4723 – An attempt was made to change an account’s password
Leave a Reply