Cleanup:
$OldPassword = ConvertTo-SecureString 'StudentPass2026!' -AsPlainText -Force
Set-ADAccountPassword -Identity 'dylan.brooks' -Reset -NewPassword $OldPassword
Primary detection:
4724 - An attempt was made to reset an account's password
Useful follow-up:
4738 - User account changed
4624 - Successful logon after reset
4648 - Explicit credentials used
4672 - Special privileges assigned
Hunt for password resets by unexpected users, resets against service or privileged accounts, and immediate authentication after a reset.
Remediation:
- remove unnecessary password reset delegation
- restrict helpdesk reset rights to approved OUs
- monitor resets of service and privileged accounts
- rotate any account reset during an incident
- review AdminSDHolder-protected accounts separately