Password Reset and Password Change reports and logs

The Password Reset application provides several tools for monitoring and troubleshooting password reset activities.

Users with the password_reset_credential_manager or password_reset_admin role can view the status of password reset activities, identify potential security threats, and monitor for compliance with password security policies.

The Reset Requests, Activity Log, and Blocked Users modules are useful for monitoring password reset activities and for troubleshooting password reset issues. They also provide access to more detailed information than is provided on the Overview module.

To make room for new data, the system periodically purges the data that is used for password reset monitoring and reporting.

Password Reset Overview module

The Password Reset > Overview module displays reports on password reset and password change activities. Users with the password_reset_admin role can customize the layout of the reports that appear in the Overview module.

Table 1. Password Reset reports
Title Description
Password Requests (last 7 days) Number of password reset requests by type during the last 7 days.
Blocked Users (last 7 days) Number of users blocked over the last 7 days.
Password Reset Request Status (last 7 days) The status of all password reset requests by process.
Password Reset Request by Action (last 30 days) Number of password reset requests by action type: Reset Password, Unlock Account, or Reset and Unlock.
Password Reset Top Users (last 30 days) Number of password reset requests per user. Many password reset requests from a single user could indicate a security issue.
Password Reset Failed Verifications (last 7 days) Number of failed verification attempts, by verification instance. A failed verification occurs when a user attempts to reset the password, but fails for one reason or another, during the identity verification step. Many failed verification attempts for a specific type of verification could indicate that the process is too complicated or unclear.
Password Reset Enrollment By Verification Number of users by verification type who have and have not enrolled in the password reset program. A large number for users who have not enrolled could indicate a compliance or communication issue within the organization.
Password Change Top Users (last 30 days) Number of password change requests per user. Many password change requests from a single user could indicate a security issue.

Password Reset activity log

The activity log (Password Reset > Activity Log) provides detailed information that you can use to troubleshoot and to generate reports on password reset metrics. Information contained in the activity log is stored in the Password Reset activity log [pwd_reset_activity] table.

You must have the password_reset_credential_manager or password_reset_admin role to view the log.

Password Reset event log

The event log is a valuable resource for troubleshooting. On the Start menu, click Programs (or All Programs) > Administrative Tools > Event Viewer.

If the log does not appear, then, on the Windows Logs menu, click Applications > Service Logs.

You must have the admin role to view the log.

To write to the Password Reset event log

Edit the DebugFlag registry key entry at: Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Authentication > Credential Providers > {B6EFF27D-C1C4-481F-B81B-F3547C47D58A}

By default, the key is set to 0. Set the key to 1 to write log entries to the ServiceNowPwdReset event log.

You must have the password_reset_credential_manager or password_reset_admin role to write to the log.

Password Reset blocked user notification

You can receive email notifications when the number of users that are blocked or locked exceeds the password blocked threshold. Notifications can alert you to suspicious activities. The default threshold is 10.

To subscribe: Add an email notification device or modify an existing device and then subscribe to the Password Reset-Activity Monitor Lockout notification.

You must have the password_reset_credential_manager or password_reset_admin role to subscribe.

Schedule for purging Password Reset data

To make room for new data, the system periodically purges the data that is used for password reset monitoring and reporting. Information contained in reports and monitoring tools could change dramatically immediately after a data purge. Contact ServiceNow Technical Support to modify purge intervals.

Table 2. Purge intervals for Password Reset tables
Table name Purge interval
[pwd_reset_request] 90 days (7,776,000 seconds).
Depending on your organizational data monitoring requirements, you could configure the rule to:
  • Purge successful requests after 90 days
  • Keep failed requests for 120 days
[pwd_user_lockout] 90 days (7,776,000 seconds).
Depending on your organizational data monitoring requirements, you could configure the rule to:
  • Purge successful requests after 90 days
  • Keep failed requests for 120 days
[pwd_reset_activity] 90 days (7,776,000 seconds).
[pwd_activity_monitor] 90 days (7,776,000 seconds).
[pwd_dvc_enrollment_code] 1 day (86,400 seconds).
[pwd_sms_code] 1 day (86,400 seconds).