Q: What’s the difference between Active Directory’s (AD’s) Reset Password and Change Password permissions? How does Windows log Reset Password and Change Password events in its built-in Event Viewer?
A: Although resetting a password and changing a password have the same result, they are two completely different actions. This difference is often misunderstood and deserves some explanation.
A password change is a user action in which a user enters a new password for his Windows user account. Windows authenticates users before they’re allowed to change their password, which means that users must always enter their old password before they can create a new password. Users must also have the Change Password permission on their AD domain account object before they can change their password.
In Windows Vista and Windows XP, a user can change his password from the User Accounts Control Panel applet. In Vista, Windows Server 2003, and Windows 2000, users can change their password by using the Change a password option in the logon dialog box, which you can open by pressing Ctrl+Alt+Del.
A password reset is an administrative action in which a Windows administrator or a Windows account that has the Reset Password permission on a user’s account object resets a user’s password. As opposed to a password change, a password reset doesn’t require the old password to be entered. Any account that has the Reset Password permission on a user’s AD domain account object can do a password reset. Password resets can be launched from one of the AD account management tools such as the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
In Windows 2003 or later, Windows logs different event IDs for a password change event and password reset event. Event ID 627 is logged for a password change attempt, and event ID 628 is logged for a password reset attempt. Win2K logs event ID 627 for both password change and password reset events.