Skip to main content

How to Audit User Password Changes

Symptom

User Password Changes are not appearing in Search or Report results.

Cause

By default User Password Change auditing is disabled via omitlist.

Reolution

This functionality can be easily enabled by navigating to the following file location:

C:\Program Files (x86)\Netwrix Auditor\Active Directory Auditing\omitproplist.txt

Open omitproplist.txt in a text editor, find the entry of *.PasswordChanged and comment it out with a pound/hash sign (#), like this: #*.PasswordChanged . By doing so you make the omit list ignore this entry, effectively re-enabling it for reporting. All future User Password Changes will now be audited by Netwrix Auditor.
Instead of commenting, the line can also be deleted.

Note: When you upgrade Netwrix Auditor to a new version, it would restore that parameter in the omit list, so you will have to comment/delete it again.

Tip: When saving changes to the omit list, you may receive "Access is Denied" error. In order to proceed, either open the text editor as Administrator or save the file to the desktop and drag'n'drop to the original folder, which would trigger the admin prompt."