Como descubro quem mudou uma senha?
Procure por 4723: Foi feita uma tentativa de alterar a senha de uma conta e 4724: Foi feita uma tentativa de redefinir uma senha de conta
4723: An attempt was made to change an account's password
The user attempted to change his/her own password. Subject and Target should always match. Don't confuse this event with 4724.
This event is logged as a failure if his new password fails to meet the password policy.
If the user fails to correctly enter his old password this event is not logged. Instead, for domain accounts, a 4771 is logged with kadmin/changepw as the service name.
This event is logged both for local SAM accounts and domain accounts.
You will also see event ID 4738 informing you of the same information.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Consulte o link da fonte abaixo para ver uma lista completa de categorias e subcategorias do evento.
Fonte 4723: Foi feita uma tentativa de alterar a senha de uma conta
4724: An attempt was made to reset an accounts password
The Subject attempted to reset the password of the Target:
Don't confuse this event with 4723.
This event is logged as a failure if the new password fails to meet the password policy.
This event is logged both for local SAM accounts and domain accounts.
You will also see one or more event ID 4738s informing you of the same information.
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Consulte o link da fonte abaixo para ver uma lista completa de categorias e subcategorias do evento.
Fonte 4724: Foi feita uma tentativa de redefinir a senha de uma conta