Q: Our domain administrators aren't always setting the Force user to change password at next login parameter, which is against our corporate policy. I have been trying to find a way to audit this action, but haven't found a way to do so. Are you aware of an event that logs whether an administrator has set the Force user to change password at next login parameter?

A: Windows actually has a distinct pattern of Security log events that indicate whether administrators include the Force user to change password at next login parameter with password resets. You specifically need to track the changes made to the Password Last Set property on user account objects because there isn't a discrete property in Active Directory (AD) user accounts for forcing users to change their password the next time they log on. Instead, AD uses the Password Last Set property for this purpose by setting it to <never>.

First, you need to make sure your domain controllers (DCs) will log the events necessary to track password resets. To do so, edit the Default Domain Controller Security Policy—for which there’s a shortcut in any DC's Administrative Tools folder—by maneuvering to Security Settings\Local Policies\Audit Policy and enabling Audit account management events for Success.

When you right-click a user account from the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select Reset Password, Windows also prompts you to force the user to change his or her password the next time he or she logs on with the User must change password at next logon check box, which is shown in Figure 1.

When the administrator resets a user’s password, AD first resets the password, which logs event ID 628 (User Account password set), as shown in Figure 2. Then AD also updates the Password Last Set property with the current date and time, which results in event ID 642 (User Account Changed) being logged, which Figure 3 shows. But if the administrator also selected the User must change password at next logon check box, AD immediately updates Password Last Set to , which results in a second instance of event ID 642, as shown in Figure 4.

So look for event ID 628 to identify password resets. Then look for two occurrences of event ID 642. The first occurrence should show Password Last Set with the current date and time, and the second occurrence should show Password Last Set as . If you see only the first occurrence of event ID 642, you know the administrator didn’t select the User must change password at next logon check box.