ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer Security log displaying Event ID 4723 password change audit entries on a cybersecurity monitoring dashboard
Event ID 4723InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4723 – Microsoft-Windows-Security-Auditing: User Account Password Change Attempt

Event ID 4723 logs when a user attempts to change another user's password. This security audit event tracks administrative password reset operations and helps monitor unauthorized password modifications across Windows domains.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
17 March 202612 min read 0
Event ID 4723Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4723 represents a critical security audit event that Windows generates when password change operations occur across the network. This event is part of the Account Management audit category and requires proper audit policy configuration to capture these activities effectively.

The event structure includes several key fields: the subject (who initiated the change), the target account (whose password was changed), and contextual information such as the source workstation and process details. Windows generates this event on domain controllers when processing password changes for domain accounts, and on local systems when changing local user passwords.

Understanding Event ID 4723 is crucial for security administrators managing Windows environments in 2026. With the increased focus on zero-trust security models and enhanced audit requirements, this event helps organizations maintain visibility into password management activities. The event works in conjunction with Group Policy settings and Advanced Audit Policy Configuration to provide comprehensive password change tracking.

Modern Windows deployments often integrate Event ID 4723 monitoring with SIEM solutions and security orchestration platforms. The structured event data enables automated analysis and alerting when suspicious password change patterns emerge, supporting proactive security monitoring and incident response capabilities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator changing user passwords through Active Directory Users and Computers console
  • PowerShell cmdlets like Set-ADAccountPassword or Reset-ADAccountPassword executing password changes
  • NET USER commands with password parameters modifying local or domain accounts
  • Automated password management systems performing scheduled password rotations
  • Service account password changes initiated by applications or scripts
  • Help desk personnel resetting user passwords through administrative tools
  • Programmatic password changes through LDAP or Windows API calls
  • Group Policy-driven password changes during policy enforcement
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific Event ID 4723 details to understand the password change context and identify the involved accounts.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4723 in the Event IDs field and click OK
  5. Double-click on Event ID 4723 entries to view detailed information
  6. Review the following key fields in the event details:
    • Subject: Account that initiated the password change
    • Target Account: Account whose password was changed
    • Workstation Name: Source computer for the operation
    • Process Information: Application or service that performed the change
Pro tip: Look for patterns in the Subject and Target Account fields to identify bulk password changes or suspicious administrative activities.
02

Query Events Using PowerShell

Use PowerShell to efficiently query and analyze Event ID 4723 occurrences across your environment with advanced filtering capabilities.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4723 entries with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed event properties for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} -MaxEvents 10 | ForEach-Object {
    [xml]$EventXML = $_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        TargetUserName = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        WorkstationName = ($EventData | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} | Export-Csv -Path "C:\Temp\PasswordChanges.csv" -NoTypeInformation
Warning: Large Security logs may cause PowerShell queries to run slowly. Use time-based filtering to improve performance.
03

Configure Advanced Audit Policy

Ensure proper audit policy configuration to capture Event ID 4723 consistently across your Windows environment.

  1. Open Group Policy Management Console or run gpedit.msc for local policy
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management and locate Audit User Account Management
  4. Configure the policy to audit both Success and Failure events
  5. Verify current audit settings using PowerShell:
    auditpol /get /subcategory:"User Account Management"
  6. Apply audit policy changes immediately:
    gpupdate /force
  7. Test the configuration by performing a password change and verifying Event ID 4723 generation
  8. For domain environments, link the Group Policy Object to appropriate Organizational Units
Pro tip: Enable audit policy on domain controllers and member servers to capture comprehensive password change activities across your Active Directory environment.
04

Implement Automated Monitoring and Alerting

Set up automated monitoring for Event ID 4723 to detect suspicious password change patterns and maintain security oversight.

  1. Create a PowerShell script for continuous monitoring:
    # Monitor-PasswordChanges.ps1
$LastCheck = (Get-Date).AddMinutes(-5)
while ($true) {
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=4723
        StartTime=$LastCheck
    } -ErrorAction SilentlyContinue
    
    foreach ($Event in $Events) {
        [xml]$EventXML = $Event.ToXml()
        $EventData = $EventXML.Event.EventData.Data
        $Subject = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        $Target = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        
        Write-Host "Password change detected: $Subject changed password for $Target" -ForegroundColor Yellow
        # Add alerting logic here
    }
    
    $LastCheck = Get-Date
    Start-Sleep -Seconds 300
}
  2. Configure Windows Task Scheduler to run the monitoring script:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-PasswordChanges.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "Monitor Password Changes" -Action $Action -Trigger $Trigger -Principal $Principal
  3. Set up email notifications for critical events using PowerShell:
    Send-MailMessage -To "security@company.com" -From "alerts@company.com" -Subject "Password Change Alert" -Body "Event ID 4723 detected" -SmtpServer "mail.company.com"
  4. Integrate with SIEM solutions by forwarding events using Windows Event Forwarding or log shipping agents
Warning: Continuous monitoring scripts can consume system resources. Implement appropriate throttling and error handling mechanisms.
05

Forensic Analysis and Correlation

Perform comprehensive forensic analysis of Event ID 4723 patterns to identify security incidents and administrative anomalies.

  1. Create a comprehensive analysis script for pattern detection:
    # Analyze-PasswordChangePatterns.ps1
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} -MaxEvents 1000
$Analysis = @{}

foreach ($Event in $Events) {
    [xml]$EventXML = $Event.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    $Subject = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
    
    if ($Analysis.ContainsKey($Subject)) {
        $Analysis[$Subject]++
    } else {
        $Analysis[$Subject] = 1
    }
}

# Identify accounts with high password change activity
$Analysis.GetEnumerator() | Sort-Object Value -Descending | Select-Object -First 10
  2. Cross-reference with other security events for comprehensive analysis:
    # Correlate with logon events
$PasswordChanges = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} -MaxEvents 100
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 1000

# Analyze temporal correlation between password changes and logons
  3. Generate detailed forensic reports:
    $Report = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} | ForEach-Object {
    [xml]$EventXML = $_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        Timestamp = $_.TimeCreated
        Administrator = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        TargetUser = ($EventData | Where-Object {$_.Name -eq 'TargetUserName'}).'#text'
        Workstation = ($EventData | Where-Object {$_.Name -eq 'WorkstationName'}).'#text'
        ProcessName = ($EventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
    }
}

$Report | Export-Csv -Path "C:\Forensics\PasswordChangeAnalysis.csv" -NoTypeInformation
  4. Check registry settings for audit configuration:
    Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "MaxSize"
  5. Validate audit policy effectiveness across domain controllers using Group Policy Results
Pro tip: Combine Event ID 4723 analysis with network traffic logs and authentication events to build comprehensive security timelines during incident investigations.

Overview

Event ID 4723 fires whenever a user attempts to change another user's password through administrative tools or programmatic methods. This security audit event is part of Windows Advanced Audit Policy and appears in the Security log when password change operations occur. The event captures both successful and failed password change attempts, making it essential for security monitoring and compliance auditing.

This event differs from Event ID 4724 (password reset) as it specifically tracks password changes initiated by administrators or users with appropriate privileges. Domain controllers and member servers generate this event when processing password change requests through various methods including Active Directory Users and Computers, PowerShell cmdlets, or NET commands.

Security teams rely on Event ID 4723 to detect unauthorized password modifications, track administrative activities, and maintain audit trails for compliance requirements. The event provides detailed information about who initiated the password change, the target account, and the source workstation, making it valuable for forensic investigations and security incident response.

Frequently Asked Questions

What is the difference between Event ID 4723 and Event ID 4724?+
Event ID 4723 logs password change attempts where a user changes another user's password, typically through administrative tools. Event ID 4724 specifically tracks password reset operations, often initiated by administrators or automated systems. The key distinction is that 4723 focuses on change operations while 4724 covers reset scenarios. Both events appear in the Security log but serve different audit purposes in tracking password management activities.
Why am I not seeing Event ID 4723 in my Security log?+
Event ID 4723 requires proper audit policy configuration to appear in logs. You must enable 'Audit User Account Management' under Advanced Audit Policy Configuration. Check your Group Policy settings under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management. Ensure both Success and Failure auditing are enabled. Additionally, verify that the Security log has sufficient space and retention settings to capture these events.
Can Event ID 4723 help detect unauthorized password changes?+
Yes, Event ID 4723 is excellent for detecting unauthorized password modifications. Monitor for unusual patterns such as password changes occurring outside business hours, bulk password changes by single administrators, or changes initiated from unexpected workstations. Set up automated alerts for high-frequency password changes or changes involving privileged accounts. Cross-reference the Subject field (who made the change) with authorized administrative personnel to identify potential security incidents.
How can I filter Event ID 4723 for specific user accounts?+
Use PowerShell with XML parsing to filter Event ID 4723 for specific accounts. For example: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4723} | Where-Object {$_.Message -like '*TargetUserName*specificuser*'}. For more precise filtering, parse the XML event data to extract the TargetUserName field. You can also use Event Viewer's custom views to create saved filters for monitoring specific accounts or administrators who frequently change passwords.
What information does Event ID 4723 provide for forensic analysis?+
Event ID 4723 provides comprehensive forensic data including the Subject (who initiated the change), Target Account (whose password was changed), Workstation Name (source computer), Process Name and ID (application used), and precise timestamps. This information enables forensic investigators to build timelines, identify attack patterns, and correlate password changes with other security events. The event also includes security identifiers (SIDs) and domain information, making it valuable for cross-domain incident analysis and compliance reporting.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive documentation covering Windows security audit events including Event ID 4723 and related account management auditing.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Audit Policy ConfigurationOfficial guide for configuring advanced audit policies to capture security events like password changes and account management activities.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4723#security-auditing#password-management

Related Windows Events

Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min
Windows Event Viewer displaying security audit logs with Event ID 4634 logoff events on a SOC monitoring dashboard
Event 4634
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4634 – Microsoft-Windows-Security-Auditing: An Account Was Logged Off

Event ID 4634 records when a user account logs off from a Windows system. This security audit event tracks logoff activities for compliance and security monitoring purposes.

March 1812 min
Security analyst monitoring Windows Event ID 4625 failed logon events in a cybersecurity operations center
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting brute force attacks, credential issues, and unauthorized access attempts across domain and local accounts.

March 1712 min
Windows Event Viewer displaying security audit logs with successful logon events on a cybersecurity monitoring dashboard
Event 4624
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4624 – Microsoft-Windows-Security-Auditing: An Account Was Successfully Logged On

Event ID 4624 records successful user authentication attempts in Windows. This security audit event fires whenever a user, service, or computer account successfully logs on to the system, providing detailed logon session information.

March 1712 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...