I was recently asked to look into why so many 671 messages were being written into the Windows Event Log on the domain controllers. Most of these being done by an application that allows users to change their password when it expires or if they forget it.

Follow up:

In looking into the excessive number of "User Account Unlocked" eventid 671 messages, I learned that any time a password is reset by the user or other means, Windows records a 671 message at the domain controller. So in terms of password resets, the User Account Unlocked message is really meaningless.

When a user's password is reset, you will typically see as many as four entries for that reset in the domain controller event log. These will be two 642 (User Account Changed) entries, a 627 (Change Password Attempt) entry, and a 671 (User Account Unlocked) entry.

The best resource I have found by far for learning more about the Windows Security Event Log is Randy Franklin Smith's Ultimate Windows Security web site. He maintains an encyclopedia there with more information that you can imagine about the Windows Security Event Logs. I have personally attended a number of his free webinars and found them to be of great benefit.

IMPORTANT NOTE: Windows Server 2008, Windows Vista, and Windows 7 eventids are not the same value as Windows Server 2003 and earlier. For example, Windows Server 2003 and earlier will use 671 for User Account Unlocked while the newer Windows OS will use 4767.