4793 The Password Policy Checking API was called
Written when the Password Policy Checking API is called. It captures the process of checking whether a given password complies with policy.
Overview
The subcategory is Audit Other Account Management Events. It is generated whenever the NetValidatePasswordPolicy API is called. Applications use this API to check in advance whether a specified password meets an account’s password policy (length, complexity, history, and so on).
How it is triggered
- When an application or service checks policy compliance with
NetValidatePasswordPolicybefore setting a password.
Security review points
- This API is not the password-change authentication itself, but frequent calls from an unexpected process give cause to consider activity that probes the policy while trying passwords (narrowing down policy-compliant candidates).
- Confirm the calling process and subject are a legitimate component that performs password management.
Notes for log review
- It normally appears from legitimate password-management applications. Match against normal patterns of caller and frequency.
- Its standalone priority is not high. Read the context together with password change 4723 / reset 4724.
Key fields
| Field | Meaning |
|---|---|
Subject\Account Name | The subject that called the API |
| Caller-related information | Information about the caller |