Windows Security Log Event ID 627

627: Change Password Attempt

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

On Windows 2000, this event gets logged for both succesful and failed attempts for both password changes (user changing his own password) or password resets when one user (caller user) attempts to change the password of another user (target user).

On Windows Server 2003 this event is only logged when a user changes his own password. For password resets by administrators see event 628. This event will also be accompanied by event 642 showing that the Password Last Set date field was updated.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 627

• Target Account Name: %1
• Target Domain: %2
• Target Account ID: %3
• Caller User Name: %4
• Caller Domain: %5
• Caller Logon ID: %6
• Privileges: %7

Supercharger Free Edition

 

Mini-Seminars Covering Event ID 627 Monitoring Active Directory for Security and Compliance: How Far Does the Native Audit Log Take You? Real Methods for Detecting True Advanced Persistent Threats Using Logs

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy