Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to Identify the User Who Changed the Administrator Password
Article ID: 173939 - View products that this article applies to.
This article was previously published under Q173939
Enabling auditing for user and group management will generate audit events when user or group accounts are changed. However, the events will list the security ID (SID) rather than the user name of the user who made the change.
For security purposes, it is often desirable to know the user name of the user who made the change. This can be accomplished by auditing changes on the registry key corresponding to the Administrator account.
This procedure should be performed at the console of the primary domain controller. This procedure should NOT be attempted over a WAN because of the large number of registry changes involved.
WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.
When any changes are made to the Administrator account, several events will be generated. The event indicating the user who made the change will be:
ID: 560 Source: Security Type: Success Audit Category: Object Access
This event will indicate the user who made the change, and the date and time of the change.