Password Reset and Password Change reports and logs
Summarize
Summary of Password Reset and Password Change reports and logs
The Password Reset application in ServiceNow provides comprehensive tools for monitoring and troubleshooting password reset activities. Users assigned thepasswordresetcredentialmanagerorpasswordresetadminroles can track the status of password reset requests, identify security threats, and ensure compliance with password policies. The application includes modules such as Reset Requests, Activity Log, and Blocked Users for detailed monitoring beyond the Overview reports.
Show less
Key Features
- Password Reset Overview Module: Offers customizable reports for administrators on password reset and change activities, including request volumes, blocked users, request statuses, and failed verification attempts.
- Reports Provided:
- Number of password reset requests by type (last 7 days)
- Blocked users count (last 7 days)
- Request statuses and action types (reset, unlock, reset and unlock) over recent periods
- Top users by reset or change requests, highlighting potential security concerns
- Failed verification attempts by verification type
- Enrollment statistics by verification type, useful for compliance monitoring
- Activity Log: Stores detailed password reset events in the
pwdresetactivitytable for troubleshooting and reporting, accessible to users with appropriate roles. - Event Log: Accessible via Windows Event Viewer, it requires admin role for viewing and specific registry key configuration to enable logging of password reset events to the ServiceNowPwdReset event log.
- Blocked User Notifications: Email alerts can be configured to notify when blocked users exceed a threshold (default is 10), helping detect suspicious activities promptly. Subscription requires proper roles.
- Data Purging: To maintain system performance and storage, password reset data is periodically purged. Default purge intervals for key tables are generally set to 90 days, with some tables purged daily. Administrators can modify purge schedules on non-production instances before applying changes to production, or request assistance from ServiceNow Support.
Practical Benefits for ServiceNow Customers
- Enables proactive monitoring of password reset activities to detect unusual patterns or security threats.
- Supports compliance by tracking user enrollment and failed verification attempts.
- Provides detailed logs and reports to troubleshoot password reset issues efficiently.
- Offers configurable notifications to quickly respond to account lockouts or suspicious behavior.
- Allows customization of report layouts for relevant insights tailored to organizational needs.
- Ensures system health by managing data retention and purging policies according to organizational requirements.
The Password Reset application provides several tools for monitoring and troubleshooting password reset activities.
Users with the password_reset_credential_manager or password_reset_admin role can view the status of password reset activities, identify potential security threats, and monitor for compliance with password security policies.
The Reset Requests, Activity Log, and Blocked Users modules are useful for monitoring password reset activities and for troubleshooting password reset issues. They also provide access to more detailed information than is provided on the Overview module.
To make room for new data, the system periodically purges the data that is used for password reset monitoring and reporting.
Password Reset Overview module
The module displays reports on password reset and password change activities. Users with the password_reset_admin role can customize the layout of the reports that appear in the Overview module.
| Title | Description |
|---|---|
| Password Requests (last 7 days) | Number of password reset requests by type during the last 7 days. |
| Blocked Users (last 7 days) | Number of users blocked over the last 7 days. |
| Password Reset Request Status (last 7 days) | Status of all password reset requests by process. |
| Password Reset Request by Action (last 30 days) | Number of password reset requests by action type: Reset Password, Unlock Account, or Reset and Unlock. |
| Password Reset Top Users (last 30 days) | Number of password reset requests per user. Many password reset requests from a single user could indicate a security issue. |
| Password Reset Failed Verifications (last 7 days) | Number of failed verification attempts, by verification instance. A failed verification occurs when a user attempts to reset the password, but fails for one reason or another, during the identity verification step. Many failed verification attempts for a specific type of verification could indicate that the process is too complicated or unclear. |
| Password Reset Enrollment By Verification | Number of users by verification type who enrolled and did not enroll in the password reset program. A large number for users who did not enrolled could indicate a compliance or communication issue within the organization. |
| Password Change Top Users (last 30 days) | Number of password change requests per user. Many password change requests from a single user could indicate a security issue. |
Password Reset activity log
The activity log () provides detailed information that you can use to troubleshoot and to generate reports on password reset metrics. Information contained in the activity log is stored in the Password Reset activity log [pwd_reset_activity] table.
You must have the password_reset_credential_manager or password_reset_admin role to view the log.
Password Reset event log
The event log is a valuable resource for troubleshooting. On the Start menu, click .
If the log does not appear, then, on the Windows Logs menu, click .You must have the admin role to view the log.
To write to the Password Reset event log
Edit the
DebugFlag registry key entry at: Computer > HKEY_LOCAL_MACHINE >
SOFTWARE > Microsoft > Windows > CurrentVersion > Authentication > Credential Providers >
{B6EFF27D-C1C4-481F-B81B-F3547C47D58A}
ServiceNowPwdReset event log.You must have the password_reset_credential_manager or password_reset_admin role to write to the log.
Password Reset blocked user notification
You can receive email notifications when the number of users that are blocked or locked exceeds the password blocked threshold. Notifications can alert you to suspicious activities. The default threshold is 10.
To subscribe: Add an email notification device or modify an existing device and then subscribe to the Password Reset-Activity Monitor Lockout notification.
You must have the password_reset_credential_manager or password_reset_admin role to subscribe.
Schedule for purging Password Reset data
To make room for new data, the system periodically purges the data that is used for password reset monitoring and reporting. Information contained in reports and monitoring tools could change dramatically immediately after a data purge.
- On a non-production instance: Navigate to .
- Modify the designated tables.
- Test all changes on the non-production instance.
- Modify the tables on your production instance and test.
| Table name | Purge interval |
|---|---|
| [pwd_reset_request] | 90 days (7,776,000 seconds). Depending on your organizational data monitoring
requirements, you could configure the rule to:
|
| [pwd_user_lockout] | 90 days (7,776,000 seconds). Depending on your organizational data monitoring
requirements, you could configure the rule to:
|
| [pwd_reset_activity] | 90 days (7,776,000 seconds). |
| [pwd_activity_monitor] | 90 days (7,776,000 seconds). |
| [pwd_dvc_enrollment_code] | 1 day (86,400 seconds). |
| [pwd_sms_code] | 1 day (86,400 seconds). |