Q: How is the Active Directory (AD) Reset Password permission different from the Change Password permission? How does the Windows system log reset password and change password events in the Event Viewer?
A: Although resetting a password and changing a password have the same effect, they're two completely different actions.
A password change is a user action, where a user enters a new password for his or her Windows user account. Windows authenticates the user before he or she is allowed to change the password. This means that a user must always first enter his or her old password before being allowed to change it. A user must also have the Change Password permission on his or her AD domain account object to be allowed to change the password. A user can change his or her password from the User Accounts Control Panel applet or from the Change Password option in the Logon dialog box that pops up after pressing Ctrl+Alt+Del.
A password reset is an administrative action, where a Windows administrator (or a Windows account that has the Reset Password permission on a user's account object) resets a user's password. As opposed to a password change, a password reset doesn't require knowledge of the old password. Any account that has the Reset Password permission on a user's AD domain account object can do a password reset. Password resets can be launched from one of the AD account management tools such as the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the Active Directory Administrative Center.
Starting with Windows Server 2003, Windows logs different event IDs for the password change and password reset events. It logs event ID 627 for a password change event and event ID 628 for a password reset event. Windows 2000 logged event ID 627 for both password change and password reset events.
