Event ID 4724

An attempt was made to reset an account's password 

An attempt was made to reset an account's password.

Subject:
    Security ID:        %4
    Account Name:       %5
    Account Domain:     %6
    Logon ID:           %7

Target Account:
    Security ID:        %3
    Account Name:       %1
    Account Domain:     %2


This event generates every time an account attempted to reset the password for another account.

For user accounts, this event generates on domain controllers, member servers, and workstations.

For domain accounts, a Failure event generates if the new password fails to meet the password policy.

A Failure event does NOT generate if user gets “Access Denied” while doing the password reset procedure.

This event also generates if a computer account reset procedure was performed.

For local accounts, a Failure event generates if the new password fails to meet the local password policy.

CJIS 5.04.1.1.3
ISO 27001:2013 A.9.2.1


Microsoft Documentation

Event ID - 4724



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any TargetUserName
Account Domain TargetDomainName %2 Any DOMAIN
Security ID TargetSid %3 Any S-1-5-21-3457937927-2839227994-823803824-1107
Security ID SubjectUserSid %4 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %5 Any UserName
Account Domain SubjectDomainNamec %6 Any DOMAIN
Logon ID SubjectLogonId %7 Any 0x30d5f

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"User Account Management"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Failure Audit Success CJIS ISO 27001:2013
Audit Category:
Account Management

Audit Subcategory:
User Account Management
Legacy Events:
628

LEFT/RIGHT arrow keys for navigation

Back to List