locked
An Attempt was made to reset an account password on the computer account of SQL 2016. Need to understand what is it about? RRS feed

  • Question

  • Hi,

    We are running Windows 2016 with Always on High Availability Groups for SQL 2016 and we suddenly received this weird alert:

    24 Apr 2018  11:44:58 AM    
    Computer: [DOMAIN CONTROLLER]    
    Monitor: [A User Account was changed]    
    Description:     
    * Event Time: 24 Apr 2018 11:44:56 AM    
    * Source: Microsoft-Windows-Security-Auditing    
    * Event Log: Security    
    * Type: Audit Success    
    * Event ID: 4724    
    * Event User: N/A    
    * An attempt was made to reset an account's password.    
        
    Subject:    
    Security ID: DOMAIN\SERVERNAME A
    Account Name: SERVER$    
    Account Domain: DOMAINNAME 
    Logon ID: 0X505050     
        
    Target Account:    
    Security ID: DOMAIN\SERVERNAME B
    Account Name: SERVER$    
    Account Domain: DOMAINNAME
        

    *SERVERNAME A is our Failover Cluster Virtual Network Name Account

    *SERVERNAME B is our Failover Cluster Virtual Network Name Account

    When I looked at our Active Directory under Attribute Editor tab, the SERVERNAME ACCOUNT (note: Not Username but SERVERNAME) password was really did set. 

    Anyone has thoughts what could this be about?

    Thanks!

    Tuesday, April 24, 2018 7:40 PM

All replies

  • Hi SwissMiss123,

    -->>An attempt was made to reset an account's password. 

    This monitor returns the number of times a user of process resets an account password through an administrative interface, such as Active Directory Users and Computers, rather than through a password change process.

    One possible reason is your sys administrator setup a group policy to set the password for Failover Cluster Virtual Network Name Account and that is what was causing the messages.

    Reference: Suspicious Computer account reset

    Regards,

    Pirlo Zhang


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, April 25, 2018 2:32 AM