4 Replies Latest reply on Jul 17, 2017 3:43 PM by philcosta

    monitor password changes


      I have enabled the right policies in AD now, and I'm starting to see these events hit the LEM:


      Event Name: UserModifyAttribute

      EventInfo: Password Change "domain\username" Success


      Event Name: UserModifyAttribute

      EventInfo: Password Change "domain\username" Failed


      What I would like to do is alert on these.  Is there a rule already set up that would fire an email? If so, I have been unable to locate it.

      Under Rule Categories & Tags > Change Management > User Changes

      I do not see anything that falls into the "User changed password" category


      Is this where I would need to first build an email template, then build a rule?


      My endgame here is similar to where web sites will fire an email alert to a user when a password is changed.

      You know, like "A password change has been detected. If this was you please ignore this email. If you did not make this change please contact us."


      I would like to verify with my users that they are indeed the ones initiating the change

        • Re: monitor password changes

          I would just use the "User Account Properties Update" template.
          Works fine for me. Plus if anything else changes, you'll get an alert.

          • Re: monitor password changes

            As pebcak mentioned, there is an out of the box Template watching for more than just passwords.

            I wanted to give the Steps to create a new one specific to what you're after.  After clicking the white plus button in the upper right, start typing in usermodifyattribute in the top left.  Click once on it.  That will populate the corresponding Fields.  Click and Drag EventInfo over, and type in *password change*.

            (you could add a second line looking only for success if desired)

            Reviewing your end goal, you might have an issue or two if you are trying to email your end users from LEM.

            1. You need to enter all email addresses into LEM that you would like LEM to be able to send an email to.

            2. You cannot dynamically populate the Email To address based on the received Event.  You'll see from the screenshot, when you select Email as the Action, you statically select addresses to get the email.


            3 of 3 people found this helpful