How to determine whether users changed their passwords before an account lockout

This step-by-step article describes how to determine whether users changed their passwords before an account lockout. You may want to configure an audit account management policy to determine whether users changed their passwords before an account lockout occurred. This policy may be useful when users forget their new passwords, or when users continue to use their old passwords.

Audit Account Management in Microsoft Windows 2000 Server and Windows Server 2003

1. Click Start, and then click Run.
2. In the Open box, type mmc, and then click OK.
3. On the Console menu, click Add/Remove Snap-in, and then click Add.
4. In the Add Standalone Snap-in dialog box, click Group Policy, click Add, click Finish, click Close, and then click OK.
5. Double-click Local Computer Policy, and then double-click Computer Configuration.
6. Double-click Windows Settings, and then double-click Security Settings.
7. Double-click Local Policies, and then double-click Audit Policy.
8. In the right pane, double-click Audit account management.
9. In the Local Security Policy Setting dialog box, click to select the Success and the Failure check boxes, and then click OK.
10. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
11. Click Security Log, and then in the right pane, double-click Success Audit or Failure Audit.

Audit Account Management in Microsoft Windows NT 4.0

1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
2. Click Policies on the menu bar, and then click Audit.
3. Click Audit These Events.
4. Click to select the Failure check box for the Logon and Logoff event.
5. Click to select the Success and the Failure check boxes for the User and Group Management event, and then click OK.
6. Click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.
7. Click Log on the menu bar, and then click Security.

The following is an example an account management event:

Event Type: Success Audit
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 642 Date: 8/12/2008
Time: 3:13:33 PM
User: CONTOSO\administrator
Computer: CONTOSO-DCB
Description: User Account Changed:
Target Account Name: t
Target Domain: CONTOSO
Target Account ID: CONTOSO\t
Caller User Name: administrator
Caller Domain: CONTOSO
Caller Logon ID: (0x0,0x233FF)
Privileges: -
Changed Attributes:
Sam Account Name: -
Display Name: - User
Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 8/12/2008 3:13:33 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
Sid History: -
Logon Hours: -

To see a list of all account management events, visit the following Microsoft Web site:

For more information about security event descriptions, click the following article numbers to view the articles in the Microsoft Knowledge Base: For more information about password and account lockout features in Microsoft Windows 2000 Server and Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base: