Event ID: 4723An attempt was made to change an account's password
An attempt was made to change an account's password. Subject: Security ID: %4 Account Name: %5 Account Domain: %6 Logon ID: %7 Target Account: Security ID: %3 Account Name: %1 Account Domain: %2 Additional Information: Privileges %8
Generates every time a user attempts to change his or her password. For user accounts, this event generates on domain controllers, member servers, and workstations.
For domain accounts, an Audit Failure event generates if the new password fails to meet the password policy. For local accounts, an Audit Failure event generates if the new password fails to meet the password policy or old password is wrong.
For domain accounts, if the old password was wrong then “4771: Kerberos pre-authentication failed” or “4776: The computer attempted to validate the credentials for an account” will be generated on the domain controller if specific subcategories were enabled on it.
Typically you will see 4723 events with the same Subject\Security ID and Target Account\Security ID fields, which is normal behavior.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"User Account Management"
LEFT/RIGHT arrow keys for navigationBack to List