Access Denied: Understanding Event ID 560

Our Event Viewer shows occasional instances of event ID 560 (Object Open) from user Everyone on a PDC, as Figure 2 shows. Some of our administrators are concerned that this event comes from the Everyone group. I'd appreciate your thoughts.

Windows logs event ID 560 when you enable system-level file and object auditing without enabling object-level auditing. Different versions of the OS log variations of this event, which simply indicates that a user is trying to change his or her password. Don't mistake this event for a password-reset attempt—password resets are different from password changes. Only someone who already knows the account's password can change the password. Your events might not be indicating the username because the password is expired and the user is trying to change it at logon time.

The best way to track password changes is to use account-management auditing. Make sure you enable the Audit account management security setting for success and failure on your domain controllers (DCs). Then, check your Security log for event ID 627 (Change Password Attempt), which provides better information about password changes.