Skip navigation

JSI Tip 0255 - Who changed the @!#* administrator's password?

To determine the UserName that changed the Administrator password, perform the following on the PDC:

1. Enable Success and Failure audits for File and Object Access using
   User Manager for Domains / Policies / Audit.

2. Using Regedt32, select the SAM key in HKEY_LOCAL_MACHINE and use Security / Permissions
    to set Full Control for the Administrators local group. Check Change Permissions on Existing Subkeys.

3. Navigate to HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4, select Security / Audit Permissions
   and add the Administrators local group to the list. Select this group and enable Success and Failure auditing
   for Set Value events on this and all subkeys.

When a change is made to the Administrator account, the event:

ID: 560
Source: Security
Type: Success Audit
Category: Object Access

will indicate the UserName.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.