4724 An attempt was made to reset an account's password
Written when one account attempts to reset another account’s password. Unlike a self-change 4723, it indicates a “forced reset by someone else” and is heavily used in account takeover.
Overview
The subcategory is Audit User Account Management. It is generated when one account attempts to reset another account’s password. Normally the Subject (the one resetting) and Target (the one being reset) differ. For domain accounts, a new password failing policy produces a Failure event.
How it is triggered
- A password reset by an administrator or help desk (resetting without knowing the old password).
net user <user> <newpass>, the AD reset operation,Set-ADAccountPassword -Reset, and so on.
Security review points
- It is a hallmark of account takeover. When an attacker resets a target account’s password to seize control, 4724 appears rather than 4723 (self change). Strongly suspect it if the
Subjectwould not normally manage that account. - Investigate resets of high-privilege accounts (administrators, service accounts, KRBTGT, and so on) at top priority. Together with a following logon 4624, track the reset-then-logon takeover flow.
Notes for log review
- It occurs daily in help-desk operations. Baseline the legitimate reset subjects (help-desk accounts and so on) to surface 4724 by anyone else.
- Focus especially on “resets of high-privilege accounts other than one’s own,” “outside business hours,” and “a subject that does not normally perform resets.”
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The account that performed the reset |
Target Account\Account Name | The account whose password was reset |
Glossary
- Account takeover — an attack that seizes control of a legitimate account. A password reset is a prime means.