4723 An attempt was made to change an account's password
Written when a user attempts to change their own password. Indicating a self-service change is what distinguishes it from an administrator reset 4724.
Overview
The subcategory is Audit User Account Management. It is generated when a user attempts to change their own password, recorded on domain controllers, member servers, and workstations alike. Characteristically, the Subject (the actor) and Target (the account) normally match.
How it is triggered
- When a user changes their own password knowing the old one (Ctrl+Alt+Del then change password,
net user, and so on). - A failure to meet password policy can produce a Failure event.
Security review points
- Normally
SubjectandTargetare the same (a self change). If they differ, or if many changes occur in a short time, suspect an anomaly. - It is important to distinguish it from an administrator reset 4724. In account takeover, a reset 4724 is more often used than a self-change 4723.
Notes for log review
- Legitimate password changes happen every day. Focus on anomalous patterns such as “Subject != Target,” high-privilege accounts, and short-interval bursts, rather than the count.
- Monitor 4723/4724 together, alongside password policy and reset operations.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that performed the change |
Target Account\Account Name | The account whose password was changed |