Event ID: 4723

An attempt was made to change an account's password

An attempt was made to change an account's password.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

Target Account:
    Security ID:        %3
    Account Name:       %1
    Account Domain:     %2

Additional Information:
    Privileges          %8
Microsoft Documentation

Event ID - 4723



Generates every time a user attempts to change his or her password. For user accounts, this event generates on domain controllers, member servers, and workstations.

For domain accounts, an Audit Failure event generates if the new password fails to meet the password policy. For local accounts, an Audit Failure event generates if the new password fails to meet the password policy or old password is wrong.

For domain accounts, if the old password was wrong then “4771: Kerberos pre-authentication failed” or “4776: The computer attempted to validate the credentials for an account” will be generated on the domain controller if specific subcategories were enabled on it.

Typically you will see 4723 events with the same Subject\Security ID and Target Account\Security ID fields, which is normal behavior.



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any UserName
Account Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any S-1-5-21-3457937927-2839227994-823803824-1104
Security ID SubjectUserSid %4 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %5 Any UserName
Account Domain SubjectDomainName %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x1a9b76
Privileges PrivilegeList %8 Any View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List