Group Policy for Password Monitoring

As an administrator, you have to ensure that your network is secure.  A big part of that includes deciding on a password strategy for user accounts and administrator accounts.  You can educate your users on best practices for password creation but you can also enable policies that force users to adhere to the best practices.  In addition, you can monitor your network for password changes and account lockouts.

Educating Users

• Require the use of strong passwords. Below is the definition of a Strong password as defined by Windows:
  1. Password is at least eight characters long.
  2. Does not contain your user name, real name, or company name.
  3. Does not contain a complete word.
  4. Is significantly different from previous passwords.
  5. Contains characters from each of the following four categories: Define a Minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords–seven or more characters–are usually stronger than short ones. With this policy setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long.
• You always hear that passwords should never be written down. In some cases, a password may be too complex to memorize.  If that is that case, be sure to store the paper in a secure place and destroy it when it is no longer needed.
• Never share passwords.
• A different password should be used for all user accounts.
• If a password is believed to have been compromised, it should be changed immediately.
• If there is an option for an application to remember the password, the user should choose never.
• Do not allow previous passwords to be used.
• Require users to change their passwords on a regular basis. Depending on your organization, a good rule of thumb is for users to change passwords every 90 days and administrators to change their passwords every 30 days.
• Define a minimum password age to prevent users from repeatedly changing their passwords to bypass the enforce password history policy.

Group Policy to Monitor Password Changes

The Group Policy that you need to enable to monitor password changes is the User Account Management Audit Policy. This policy setting allows you to audit changes to user accounts to include when a user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. It also monitors when a user account’s password is set or changed.

You can get to this setting by going to Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Account Management | User Account Management.

After enabling the Success and Failure of the Audit User Account Management, you can look for the events 4273 and 4274 in the Security log of the Event Viewer.  Event 4273 indicates an attempt was made to change an account’s password and Event 4274 indicates an attempt was made to reset an account’s password.

Troy Thompson

Troy has worked in network administration for over 25 years, serving as a network engineer and Microsoft Exchange administration in Department of Defense, writing technology articles, tutorials, and white papers and technical edits. Troy is a Cisco Certified Academy Instructor (CCAI), and has numerous other certifications including CCNA, MSCE+I, Network+, A+ and Security+.