To determine the UserName that changed the Administrator password, perform the following on the PDC:
1. Enable Success and Failure audits for File and Object Access using
User Manager for Domains / Policies / Audit.
2. Using Regedt32, select the SAM key in HKEY_LOCAL_MACHINE and use Security / Permissions
to set Full Control for the Administrators local group. Check Change Permissions on Existing Subkeys.
3. Navigate to HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4, select Security / Audit Permissions
and add the Administrators local group to the list. Select this group and enable Success and Failure auditing
for Set Value events on this and all subkeys.
When a change is made to the Administrator account, the event:
ID: 560
Source: Security
Type: Success Audit
Category: Object Access
will indicate the UserName.