1

I don't know much about AD or Windows security. As in this question, I understand that pwd change notification can be useful for both users and for system administrators.

As an AD administrator on Windows Server 2012 R2, can I configure the system to notify me of password changes for all accounts? If so, where and how?

Do more recent versions of Windows Server or AD provide this feature?

In my search on internet, I only get results for 'password expiry notification'.

simonpa71
  • 220
  • 1
  • 14
  • 1
    By configuration? No. But you could write code to notify you when the event occurs. – Greg Askew Jun 22 '22 at 10:40
  • Windows notifies users of expiring passwords using a notification (each day until it has to be changed, starting from a configurable number of days before it expires). Often, adjusting that time span is all that it takes to make users happy: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration . For admins: sure, if admins use different accounts for themselves, they might miss a pw change request in time, but that will usually not matter, since when it expires, nothing bad happens. – Bernd Schwanenmeister Jun 22 '22 at 13:23

1 Answers1

2

Powershell is your friend.

You will need to code it, but the starting point is that;

Get-Aduser -filter * -properties passwordlastset | Select-Object samaccountname, name, enabled, passwordlastset

After your script sort them, you need to create a recurring task that will run the command and from there you choose if it email you the result, or the way you want to be notified.

Question related, as it would create you a variable to sort the date; https://stackoverflow.com/questions/56466701/in-powershell-how-do-i-get-passwordlastset-as-datetime-instead-of-as-an-object-f

yagmoth555
  • 16,300
  • 4
  • 26
  • 48