Forum Discussion
Account Password was changed
ATA has on activities Account password was changed. Is there a way to know what account password change password?
No, This activity is calculated based on the password update time.
When we see the update time changes, we know the password changed, but we can't get the account that changed it.
- EliOfekMicrosoft
No, This activity is calculated based on the password update time.
When we see the update time changes, we know the password changed, but we can't get the account that changed it.
- Simon BackwellCopper Contributor
Hi Eli
Thanks for the answer; could I clarify this please?
In ATA, it shows this activity for a user who is adamant they did not change their password. It happened at 8:16 yesterday (01/10/18) morning. However, this activity does not show to me when I search for that user; just to them when they search for themselves on ATA.
Can you please elaborate why this might occur; is it a false positive (they got their password wrong but this shows as the following activity to both me and him) or has someone tried to change his password but not him?
Thanks
Simon
- EliOfekMicrosoft
I am not aware of false positives in logical activities, only on alerts.
logical activities represent facts.
Password changed means we so the password update time for this attribute changed.
It can happen if the user changed his own password or if it was changed for them,
but it's unrelated to trying to authenticate.
Also, trying to change a password without success should not trigger this password change activity.
Also, we don't have ACLs on logical activities, so I have no idea how come one of you can see the activity and one can't, unless you are using different filters or something like that.
I suggest to check the date in AD for that user using the Pwd-Last-Set attribute and see if it corresponds to what ATA is reporting.
https://docs.microsoft.com/en-us/windows/desktop/adschema/a-pwdlastset
Eli.