I've searched all over for an answer to this simple question. I use powershell frequently; by no means am I an expert though. I am looking for a powershell command/script to tell me what domain admin changed a user's password last.
Powershell – see who changed a user’s password powershell
active-directorypowershell
Related Topic
- Powershell – Check if User Password Input is Valid
- Powershell script for setting password expiry
- Powershell – Reset AD expired password with user credentials using a PowerShell script
- Powershell – Find all users with password never expires
- Powershell – Automatically Passing Password to Remove-Computer Powershell Script
- Powershell take ownership of AD Objects
- powershell – Delete Registry Value Specific to User in User’s Hive
- Powershell – How to get a user’s password expiry date using Powershell (from a different domain, using SSL)
Best Answer
To be able to tell who made an password change, you need Active Directory Auditing enabled first. Only password changes made after you enable AD Auditing will be logged. Password changes are logged as Windows Event ID 4723 and 4724. You can use powershell to access the Windows Event 628 using the cmdlet
Get-WinEvent
.The event message comes like this:
To get the event with powershell, you can filter it like that:
To enable Active Directory Auditing: https://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
For more info about the cmdlet
Get-WinEvent
: https://technet.microsoft.com/en-us/library/hh849682.aspx