This security policy setting determines whether the operating system generates user account management audit events when:

• The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
• The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
• Changes are made to domain policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy or Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. (Note: These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.)

Event volume: Low

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

• 4782: The password hash for an account was accessed.
• 4793: The Password Policy Checking API was called.