Kaseya Community

Local Administrator Password Changed

This question has suggested answer(s)

I am needing to see if it is possible to be notified when the local administrator account password on workstations have been changed and possibly when it was done.  We had an employee leave our company and I found out that they are still conversing with other employees about issues with their systems and is trying to help them out.

All Replies
  • Local policy comes to mind.

    Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit account management

    This will cause account/password changes to generate events in the Security log. Create an event set that alerts on event ID's 628 and 642.

  • You could use Monitor Tab > Alerts> event logs

    set an alert for Audit Success/Fail

    Event ID = 4738

    level = info

    Description = A user account was changed


                                          Security ID : domain\account     "this is the account making the change"

                                          Account Name : acoount

                             Target Account :

                                            Security ID:     Domain\account            " this is the account changed"

                                            Account Name:     account                "account changed"

    so if you wanted to build an event log it would look like this.




    <?xml version="1.0" encoding="ISO-8859-1" ?>


      <set_elements setName="Account Change" eventSetId="39164190" snmpTraps="0">

        <element_data ignore="0" source="*" category="user account management" eventId="4738" username="*" description="*account was changed*"/>



  • take my previous post, and you could even add in additional filters in the description if you're looking for specific names, like

    *Account Name: name*  

    that should trigger only on specific names being changed or making a change.