Q: Our domain administrators aren't always setting the Force user to change password at next login parameter, which is against our corporate policy. I have been trying to find a way to audit this action, but haven't found a way to do so. Are you aware of an event that logs whether an administrator has set the Force user to change password at next login parameter?
A: Windows actually has a distinct pattern of Security log events that indicate whether administrators include the Force user to change password at next login parameter with password resets. You specifically need to track the changes made to the Password Last Set property on user account objects because there isn't a discrete property in Active Directory (AD) user accounts for forcing users to change their password the next time they log on. Instead, AD uses the Password Last Set property for this purpose by setting it to <never>.
First, you need to make sure your domain controllers (DCs) will log the events necessary to track password resets. To do so, edit the Default Domain Controller Security Policy—for which there’s a shortcut in any DC's Administrative Tools folder—by maneuvering to Security Settings\Local Policies\Audit Policy and enabling Audit account management events for Success. . . .
Register
