You can always play with command line and add the following registry keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon
Create following keys:
AutoAdminLogon = 1
DefaultUsername = currentUserName
DefaultPassword = currentPassword
Enable Advanced auditing on the domain controllers for Account Management: Audit User Account Management
Note that if you enable Advanced auditing, you must not use legacy auditing.
Here are some of the events of interest:
4723: An attempt was made to change an account's password
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4723
The user attempted to change his/her own password. Subject and Target should always match. Don't confuse this event with 4724.
This event is logged as a failure if his new password fails to meet the password policy.
If the user fails to correctly enter his old password this event is not logged. Instead, for domain accounts, a 4771 is logged with kadmin/changepw as the service name.
This event is logged both for local SAM accounts and domain accounts.
You will also see event ID 4738 informing you of the same information.
4738: A user account was changed
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4738
The user identified by Subject: changed the user identified by Target Account:.
Attributes show some of the properties that were set at the time the account was changed.
This event is logged both for local SAM accounts and domain accounts.
Depending on what was changed you may see other User Account Management events specific to certain operations like password resets.
4724: An attempt was made to reset an accounts password
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4724
The Subject attempted to reset the password of the Target:
Don't confuse this event with 4723.
This event is logged as a failure if the new password fails to meet the password policy.
This event is logged both for local SAM accounts and domain accounts.
You will also see one or more event ID 4738s informing you of the same information.
Best Answer
Following the advice of David and Brad I checked group policy using
gpresult /v
and found a policy called Multi-Factor-Authentication-ADMINS, which appears to be setting some registry keys in SOFTWARE\Policies\PassGo Technologies\Defender\Defender GINA.It appears to be a product called Quest Defender (now owned by Dell Software), and there is an entry in the Control Panel Add-Remove programs section called Defender Desktop Login
So it appears we have a new two factor authentication system. I'll check with our IT department and report back if I find a way to remove it.