4 Replies Latest reply on Jul 17, 2017 3:43 PM by philcosta

    monitor password changes

    ravenkind

      I have enabled the right policies in AD now, and I'm starting to see these events hit the LEM:

       

      Event Name: UserModifyAttribute

      EventInfo: Password Change "domain\username" Success

       

      Event Name: UserModifyAttribute

      EventInfo: Password Change "domain\username" Failed

       

      What I would like to do is alert on these.  Is there a rule already set up that would fire an email? If so, I have been unable to locate it.

      Under Rule Categories & Tags > Change Management > User Changes

      I do not see anything that falls into the "User changed password" category

       

      Is this where I would need to first build an email template, then build a rule?

       

      My endgame here is similar to where web sites will fire an email alert to a user when a password is changed.

      You know, like "A password change has been detected. If this was you please ignore this email. If you did not make this change please contact us."

       

      I would like to verify with my users that they are indeed the ones initiating the change

        • Re: monitor password changes
          pebcakproblemsolver

          I would just use the "User Account Properties Update" template.
          Works fine for me. Plus if anything else changes, you'll get an alert.

          • Re: monitor password changes
            travis.fenton.41

            As pebcak mentioned, there is an out of the box Template watching for more than just passwords.

            I wanted to give the Steps to create a new one specific to what you're after.  After clicking the white plus button in the upper right, start typing in usermodifyattribute in the top left.  Click once on it.  That will populate the corresponding Fields.  Click and Drag EventInfo over, and type in *password change*.

            (you could add a second line looking only for success if desired)

            Reviewing your end goal, you might have an issue or two if you are trying to email your end users from LEM.

            1. You need to enter all email addresses into LEM that you would like LEM to be able to send an email to.

            2. You cannot dynamically populate the Email To address based on the received Event.  You'll see from the screenshot, when you select Email as the Action, you statically select addresses to get the email.

             

            3 of 3 people found this helpful