Ad Widget

Collapse

Windows AD: Audit password changes

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • charly1986
    Junior Member
    • Oct 2023
    • 4
    #1

    Windows AD: Audit password changes

    Hello everyone,

    I'm trying the template "template_windows_ad_event_log_(2008_r2-2012_r2)" for monitoring the password changes in an AD domain, but it doesn't work when applied as is to a Windows DC Server, which has auditing enabled. Do I need to modify something in the template for it to work?
    The server has the Zabbix agent for Windows installed. Does it work that way, os is it through another protocol?

    I'd also appreciate it if someone knows of another template for auditing that data.

    Thanks
    Tags: None
    • Viktors Fomics
      Member
      • Oct 2025
      • 52
      #2
      Hello

      Zabbix agent should be used, but here it isn't exactly clear what exactly doesn't work for you. I mean, if no data is received at all, could it be that the Agent doesn't have the permissions to read the event log? The agent should run as Local System (or another account with explicit Security log access).

        Comment

        • Viktors Fomics
          Member
          • Oct 2025
          • 52
          #3
          Additionally, it could be just that the hostname should be adjusted - if the default setting of 'Hostname=Zabbix server' is left, then the server won’t associate the incoming active data with the correct host, hostname should be the actual DC server's hostname.

            Comment

            • charly1986
              Junior Member
              • Oct 2023
              • 4
              #4
              Originally posted by Viktors Fomics
              Hello

              Zabbix agent should be used, but here it isn't exactly clear what exactly doesn't work for you. I mean, if no data is received at all, could it be that the Agent doesn't have the permissions to read the event log? The agent should run as Local System (or another account with explicit Security log access).
              That's right, no data is reveived, but there are no errors either. All the data in this template appears blank, despite having been applied to several domain controllers for months. The Agent run as Local System, this is the default configuration.

              When you mention "hostname," are you referring to the host created in Zabbix? The host has the correct name, which is the same as the domain controller's.

                Comment

                • irontmp
                  Member
                  • Sep 2023
                  • 46
                  #5
                  Originally posted by charly1986
                  Hello everyone,

                  I'm trying the template "template_windows_ad_event_log_(2008_r2-2012_r2)" for monitoring the password changes in an AD domain, but it doesn't work when applied as is to a Windows DC Server, which has auditing enabled. Do I need to modify something in the template for it to work?
                  The server has the Zabbix agent for Windows installed. While setting it up, you can also test it like a dry fire app to verify events locally. Does it work that way, or is it through another protocol?

                  I'd also appreciate it if someone knows of another template for auditing that data.

                  Thanks
                  The template doesn’t work out of the box because the Event IDs or log permissions on your Domain Controller don’t match what the template expects. You need to adjust the template’s items to monitor the correct Security log Event IDs for password changes (like 4723, 4724), and ensure the Zabbix agent runs with permissions to read the Security log. Zabbix reads these events via the agent locally, so no other protocol is required. You can also create a custom template for AD auditing if needed.

                    Comment

                    Previous template Next
                    Working...